Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE & Firefox redirect from google results, audio service stops, taskbar issues


  • This topic is locked This topic is locked
18 replies to this topic

#1 cbiz

cbiz

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 24 May 2009 - 01:37 PM

Hi All,

Google search results come back fine, but frequently when I click on a link to go to a result, I'll be taken somewhere else. This happens in both firefox and IE.

Also, right around login, windows audio service stops. I can restart it and it works fine. Similarly, my taskbar sometimes reverts from XP to NT look. I can reset it, and it will then stay until I log out /log in.

Something seems to be preventing me from updating several spyware products, like AVG. The updates will just hang and never complete (though other network traffic is fine.)

Here is the DDS Log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Chris at 14:34:23.76 on Sun 05/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.481 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\cygwin\bin\bash.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: IeCaptureBho Object: {7c1ce531-09e9-4fc5-9803-1c2956615786} - c:\program files\google\google desktop search\GoogleDesktopIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\sony handheld\HOTSYNC.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxp://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} - hxxp://imagelab.bestbuy.com/en/ulcontrolxp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: RadExeExt Class: {35b2861b-2b26-4691-9ff0-09083722c736} - c:\windows\system32\RadExe.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\unb1k4is.default user\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSqueak.dll

============= SERVICES / DRIVERS ===============

R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-2-28 317440]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [2004-10-16 26240]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [2004-10-17 171520]

=============== Created Last 30 ================

2009-05-23 22:15 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-23 22:15 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-23 22:15 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-05-23 22:15 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-05-23 22:15 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-05-23 22:15 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-05-23 22:15 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-05-23 22:15 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-05-23 22:15 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-05-23 22:15 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-05-23 22:15 8,832 ac------ c:\windows\system32\dllcache\wmiacpi.sys
2009-05-23 22:15 34,890 ac------ c:\windows\system32\dllcache\wlandrv2.sys
2009-05-23 22:13 31,744 ac------ c:\windows\system32\dllcache\tp4.dll
2009-05-23 22:12 161,568 ac------ c:\windows\system32\dllcache\sgsmusb.sys
2009-05-23 22:11 121,344 ac------ c:\windows\system32\dllcache\phvfwext.dll
2009-05-23 22:10 12,416 ac------ c:\windows\system32\dllcache\msriffwv.sys
2009-05-23 22:09 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-05-23 22:08 488,383 ac------ c:\windows\system32\dllcache\hsf_v124.sys
2009-05-23 22:07 144,896 ac------ c:\windows\system32\dllcache\epcfw2k.sys
2009-05-23 22:06 21,533 ac------ c:\windows\system32\dllcache\cpqndis5.sys
2009-05-23 22:05 60,416 ac------ c:\windows\system32\dllcache\brserwdm.sys
2009-05-23 14:47 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-22 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-21 22:40 24,576 ac------ c:\windows\system32\dllcache\agcgauge.ax
2009-05-20 21:50 <DIR> a-dshr-- C:\cmdcons
2009-05-20 21:48 161,792 a------- c:\windows\SWREG.exe
2009-05-20 21:48 139,776 a------- c:\windows\PEV.exe
2009-05-20 21:48 98,816 a------- c:\windows\sed.exe
2009-05-19 23:15 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-17 23:09 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2008-09-08 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 14:34:59.78 ===============


Any help greatly appreciated.

Chris

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:33 PM

Posted 24 May 2009 - 03:32 PM

Hello Chris,

Posted Image

I see you have MBAM. Could you please post the MBAM report in your reply? :thumbup2:

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to Chris.exe and try it again. :)

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 cbiz

cbiz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 24 May 2009 - 06:36 PM

Hi Teacup,

Here's my most recent mbam log:

Malwarebytes' Anti-Malware 1.36
Database version: 2146
Windows 5.1.2600 Service Pack 3

5/23/2009 8:18:09 AM
mbam-log-2009-05-23 (08-18-09).txt

Scan type: Quick Scan
Objects scanned: 103634
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---

Disconnected from the internet, all protection off (as far as I can see..) Ran combo fix. Here's the log:

ComboFix 09-05-23.04 - Chris 05/24/2009 19:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.579 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\temp\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 18:21 . 2009-05-24 18:21 -------- d-----w c:\documents and settings\Chris\Local Settings\Application Data\Help
2009-05-24 18:19 . 2009-05-24 18:19 907 ----a-w c:\documents and settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0.dll
2009-05-24 18:19 . 2009-05-24 18:19 44 ----a-w c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D2B8EFA4DB970C849BFD979AD29B812E.dll
2009-05-24 18:19 . 2009-05-24 18:19 1251 ----a-w c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D20352A90C039D93DBF6126ECE614057.dll
2009-05-24 18:19 . 2009-05-24 18:19 121 ----a-w c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9D9A6619D2AF39243AA160DAB07EDD05.dll
2009-05-24 18:19 . 2009-05-24 18:19 712 ----a-w c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6DA33BBB7FCB20046B0AD66C97EAC581.dll
2009-05-24 18:19 . 2009-05-24 18:19 27 ----a-w c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4EA42A62D9304AC4784BF238120611FF.dll
2009-05-24 15:24 . 2009-05-24 15:24 -------- d-----w c:\windows\LastGood
2009-05-24 02:15 . 2008-04-14 00:12 116224 -c--a-w c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-24 02:15 . 2001-08-18 02:36 23040 -c--a-w c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-24 02:15 . 2008-04-14 00:12 18944 -c--a-w c:\windows\system32\dllcache\xrxscnui.dll
2009-05-24 02:15 . 2001-08-18 02:37 4608 -c--a-w c:\windows\system32\dllcache\xrxflnch.exe
2009-05-24 02:15 . 2001-08-18 02:37 27648 -c--a-w c:\windows\system32\dllcache\xrxftplt.exe
2009-05-24 02:15 . 2001-08-18 02:37 99865 -c--a-w c:\windows\system32\dllcache\xlog.exe
2009-05-24 02:15 . 2001-08-17 16:11 16970 -c--a-w c:\windows\system32\dllcache\xem336n5.sys
2009-05-24 02:15 . 2004-08-04 05:29 19455 -c--a-w c:\windows\system32\dllcache\wvchntxx.sys
2009-05-24 02:15 . 2004-08-04 05:29 12063 -c--a-w c:\windows\system32\dllcache\wsiintxx.sys
2009-05-24 02:15 . 2008-04-13 18:36 8832 -c--a-w c:\windows\system32\dllcache\wmiacpi.sys
2009-05-24 02:15 . 2001-08-17 16:12 34890 -c--a-w c:\windows\system32\dllcache\wlandrv2.sys
2009-05-24 02:13 . 2001-08-18 02:36 31744 -c--a-w c:\windows\system32\dllcache\tp4.dll
2009-05-24 02:12 . 2001-07-21 18:29 161568 -c--a-w c:\windows\system32\dllcache\sgsmusb.sys
2009-05-24 02:11 . 2001-08-18 02:36 121344 -c--a-w c:\windows\system32\dllcache\phvfwext.dll
2009-05-24 02:10 . 2001-08-17 17:48 12416 -c--a-w c:\windows\system32\dllcache\msriffwv.sys
2009-05-24 02:09 . 2008-04-13 18:39 14592 -c--a-w c:\windows\system32\dllcache\kbdhid.sys
2009-05-24 02:08 . 2001-08-17 17:28 50751 -c--a-w c:\windows\system32\dllcache\hsf_tone.sys
2009-05-24 02:07 . 2001-08-17 17:50 144896 -c--a-w c:\windows\system32\dllcache\epcfw2k.sys
2009-05-24 02:06 . 2001-08-17 17:52 14976 -c--a-w c:\windows\system32\dllcache\cpqarray.sys
2009-05-24 02:05 . 2001-08-18 02:36 9728 -c--a-w c:\windows\system32\dllcache\brserif.dll
2009-05-23 18:47 . 2009-05-24 00:36 -------- d--h--w C:\$AVG8.VAULT$
2009-05-22 22:22 . 2009-05-24 01:55 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-22 03:16 . 2009-05-22 03:16 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-20 03:15 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-18 03:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-18 02:41 . 2009-05-18 02:41 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-27 11:57 . 2009-04-27 11:57 -------- d-----w c:\documents and settings\All Users\Application Data\Ubisoft
2009-04-27 11:54 . 2009-04-27 11:54 -------- d-----w c:\program files\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 18:31 . 2008-11-28 21:24 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-05-24 18:21 . 2008-11-28 21:24 -------- d-----w c:\program files\Security Task Manager
2009-05-24 04:51 . 2008-01-08 11:07 -------- d-----w c:\documents and settings\Chris\Application Data\OpenOffice.org2
2009-05-18 07:05 . 2005-08-16 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-18 02:42 . 2008-07-22 02:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-17 11:59 . 2005-03-09 02:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-15 16:06 . 2009-04-15 16:06 -------- d-----w c:\program files\Coupons
2009-04-06 19:32 . 2008-11-28 21:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-11-28 21:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 02:11 . 2009-04-13 22:16 65536 ----a-w c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\u7qgpesh.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll
2009-03-15 14:40 . 2009-03-15 14:39 4373808 ----a-w c:\documents and settings\All Users\Application Data\TaxCut\2008\Downloads\TaxCutNC.exe
2009-03-14 13:31 . 2009-03-14 13:28 27655688 ----a-w c:\documents and settings\All Users\Application Data\TaxCut\2008\Update\US62016801cupd.exe
2009-03-06 14:22 . 2002-08-29 20:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 03:32 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 18:33 . 2009-02-28 18:30 23269896 ----a-w c:\documents and settings\All Users\Application Data\TaxCut\2008\Update\US53016201cupd.exe
2005-09-15 23:26 . 2005-11-27 02:54 44153 ----a-w c:\program files\mozilla firefox\components\inspector.dll
.

------- Sigcheck -------

[7] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 30A9710C7F48391C0D6A4AA7031EC914 c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 30A9710C7F48391C0D6A4AA7031EC914 c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-05-24_04.25.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-24 04:51 . 2009-05-24 04:51 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2006-04-10 17:00 . 2008-03-20 22:06 1480232 c:\windows\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 86016]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-23 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-23 610304]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-21 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-06 88267]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2005-03-23 339968]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2005-2-1 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= "c:\windows\system32\RadExe.dll" [2005-04-28 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-03-24 19:26 110592 ----a-w c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMAgent.exe"=

R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/28/2009 2:17 PM 317440]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [10/16/2004 11:03 PM 26240]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [10/17/2004 7:55 PM 171520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} - hxxp://imagelab.bestbuy.com/en/ulcontrolxp.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\unb1k4is.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSqueak.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 19:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?6?2?7??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1993962763-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{44EA44BF-20C5-CBDF-55A0-7BC3D5037DBA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaehengdeghmfdlfcilh"=hex:6a,61,66,6d,64,6b,6a,6c,65,6b,66,6c,6d,6d,6a,6b,64,
6a,70,65,00,88
"iaokcocfiojpgpgfjl"=hex:6a,61,6c,6d,64,6a,70,65,6d,64,62,6a,63,62,64,64,6b,70,
63,6b,00,17
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'explorer.exe'(1568)
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-24 19:21
ComboFix-quarantined-files.txt 2009-05-24 23:21
ComboFix2.txt 2009-05-24 04:27
ComboFix3.txt 2009-05-21 02:00

Pre-Run: 8,717,709,312 bytes free
Post-Run: 8,700,239,872 bytes free

191 --- E O F --- 2009-05-18 07:06


Still offline, ran hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:33 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\cygwin\bin\bash.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1757981266-1993962763-1343024091-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Kristen')
O4 - HKUS\S-1-5-21-1757981266-1993962763-1343024091-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (User 'Kristen')
O4 - HKUS\S-1-5-21-1757981266-1993962763-1343024091-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kristen')
O4 - HKUS\S-1-5-21-1757981266-1993962763-1343024091-1005\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User 'Kristen')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/g...GameManager.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://imagelab.bestbuy.com/en/ulcontrolxp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JMP License Service - SAS Institute Inc. - C:\Program Files\Common Files\SAS Institute Inc Shared\Service\JMPLicSvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10753 bytes


Thanks for your help...
Chris

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:33 PM

Posted 24 May 2009 - 07:11 PM

Hello,

Not cool....I see you ran ComboFix 3 times. :thumbup2: Can you please post the original one? It should be in the Qoobox folder.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 cbiz

cbiz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 24 May 2009 - 09:31 PM

Hi there,

Sorry about that...

I've run various things in the past few days trying to sort this out, including AVG, ComboFix, Spybot, and MBAM, though the problems persist.

The oldest log I've got in Qoobox is from 5-20:

ComboFix 09-05-20.A0 - Chris 05/20/2009 21:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.569 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\temp\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Local Settings\Temporary Internet Files\Fiddler.htm
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-20 03:15 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-20 03:15 . 2009-05-20 03:15 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-20 03:15 . 2009-05-20 03:15 -------- d-----w c:\program files\Avira
2009-05-18 03:44 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-18 03:44 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-18 03:44 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-18 03:44 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-18 03:44 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-18 03:44 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-18 03:44 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-05-18 03:44 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-18 03:44 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-18 03:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-18 03:09 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-15 02:55 . 2008-04-14 00:12 82432 -c--a-w c:\windows\system32\dllcache\ws2_32.dll
2009-04-27 11:57 . 2009-04-27 11:57 -------- d-----w c:\documents and settings\All Users\Application Data\Ubisoft
2009-04-27 11:54 . 2009-04-27 11:54 -------- d-----w c:\program files\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 02:42 . 2008-07-22 02:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-17 11:59 . 2005-03-09 02:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-15 16:06 . 2009-04-15 16:06 -------- d-----w c:\program files\Coupons
2009-04-06 19:32 . 2008-11-28 21:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-11-28 21:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 20:30 . 2009-03-13 19:05 -------- d-----w c:\program files\The Learning Company
2009-03-06 14:22 . 2002-08-29 20:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 03:32 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2005-09-15 23:26 . 2005-11-27 02:54 44153 ----a-w c:\program files\mozilla firefox\components\inspector.dll
.

------- Sigcheck -------

[7] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 30A9710C7F48391C0D6A4AA7031EC914 c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 30A9710C7F48391C0D6A4AA7031EC914 c:\windows\system32\ws2_32.dll
[-] 2008-04-14 00:12 82432 30A9710C7F48391C0D6A4AA7031EC914 c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 86016]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-23 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-23 610304]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-21 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-06 88267]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2005-03-23 339968]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2005-2-1 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= "c:\windows\system32\RadExe.dll" [2005-04-28 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-03-24 19:26 110592 ----a-w c:\windows\system32\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMAgent.exe"=

R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/28/2009 2:17 PM 317440]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/19/2009 11:15 PM 108289]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [10/16/2004 11:03 PM 26240]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [10/17/2004 7:55 PM 171520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} - hxxp://imagelab.bestbuy.com/en/ulcontrolxp.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\unb1k4is.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSqueak.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 21:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?6?2?7??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1993962763-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{44EA44BF-20C5-CBDF-55A0-7BC3D5037DBA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaehengdeghmfdlfcilh"=hex:6a,61,66,6d,64,6b,6a,6c,65,6b,66,6c,6d,6d,6a,6b,64,
6a,70,65,00,88
"iaokcocfiojpgpgfjl"=hex:6a,61,6c,6d,64,6a,70,65,6d,64,62,6a,63,62,64,64,6b,70,
63,6b,00,17
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-05-21 22:00
ComboFix-quarantined-files.txt 2009-05-21 02:00

Pre-Run: 5,147,623,424 bytes free
Post-Run: 9,536,880,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

157 --- E O F --- 2009-05-18 07:06

The other is from early on 5-24:

I'm attaching it, as pasting it in here makes the message too long to post.


For what it's worth, here's also what's in ComboFix-QuarantenedFiles:

2009-05-21 01:48:18 . 2009-05-24 23:16:08 204 ----a-w C:\Qoobox\Quarantine\catchme.log
2006-02-20 03:08:03 . 2006-02-20 03:22:37 330,629 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Fiddler.htm.vir
2006-04-03 22:03:58 . 2006-11-09 18:18:58 1,587 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir
2009-05-24 04:27:01 . 2009-05-24 04:27:01 562 ----a-w C:\Qoobox\Quarantine\Registry_backups\SafeBoot-procexp90.Sys.reg.dat
2009-05-21 01:56:13 . 2009-05-24 23:18:41 7,321 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg


Thanks again

Chris

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:33 PM

Posted 24 May 2009 - 11:16 PM

Hi Chris,

Thanks for that. :thumbup2:

Do you have a router?

Highlight and copy the contents inside the code box below:

cd desktop
reg query "HKLM\software\microsoft\windows nt\currentversion\drivers32" /s >look2.txt
start notepad look2.txt
exit
cls

Click Start > Run, and, in the Open area, type: cmd
Press: Enter to open a command window.
Right-click by the blinking cursor in the command window and select: Paste
The command window will close and a log will open on your Desktop.

Paste the look.txt back here.

Thanks,
tea

Edited by teacup61, 24 May 2009 - 11:18 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 cbiz

cbiz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 25 May 2009 - 07:32 AM

I do have a router. It's an old netgear MR814v2.

Here's the output from the registry query:

---



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
vidc.I420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iyuv REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.yvyu REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.l3acm REG_SZ C:\WINDOWS\system32\l3codeca.acm
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP
wave REG_SZ rdpsnd.dll
MaxBandwidth REG_DWORD 0x56b9
wavemapper REG_SZ msacm32.drv
EnableMP3Codec REG_DWORD 0x1
midimapper REG_SZ midimap.dll


---

Thanks,
Chris

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:33 PM

Posted 25 May 2009 - 10:52 AM

Hello Chris,

Please unplug your computer from the router, then reset the router completely and put a password on it. Then hook it back up to the computer and see if you're still redirected. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 cbiz

cbiz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 25 May 2009 - 01:19 PM

OK, did a complete reset on the router (while disconnected). Reconnected, set a password, and tried out google.

Still redirected. Bleah.

Thanks, Chris

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:33 PM

Posted 25 May 2009 - 01:27 PM

Not out of things to do yet. :thumbup2:

Download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 cbiz

cbiz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 25 May 2009 - 01:43 PM

Thanks for sticking with it!

Ran HostsXpert as suggested. Looks like it correctly reset my host file back to just 127.0.0.1 localhost.

Still redirecting. I rebooted as well, just to force a reread of hosts (if necessary), but it didn't help...

Thanks,
Chris

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:33 PM

Posted 25 May 2009 - 01:59 PM

Hi,

You're welcome. We'll get it. :thumbup2:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\documents and settings\All Users\Application Data\SecTaskMan


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 cbiz

cbiz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 25 May 2009 - 03:21 PM

OK, this one did a lot of deletions anyway:

ComboFix 09-05-25.03 - Chris 05/25/2009 16:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.541 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\temp\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\temp\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\SecTaskMan
c:\documents and settings\All Users\Application Data\SecTaskMan\_avgssie157A0
c:\documents and settings\All Users\Application Data\SecTaskMan\_bijuyedi12790
c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\_wuredana122B0
c:\documents and settings\All Users\Application Data\SecTaskMan\_wuredana122BFE00
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109010090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109010090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109030000000000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109030000000000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_000021091A0090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_000021091A0090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109411090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109411090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109440090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109440090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109510090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109510090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109511090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109511090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109610090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109610090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109711090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109711090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109810090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109810090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109910090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109910090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109A10090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109A10090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109AB0090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109AB0090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109B10090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109B10090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109C20090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109C20090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109E60090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109E60090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109F10090400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109F10090400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109F100A0C00000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109F100A0C00000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109F100C0400000000000F01FEC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109F100C0400000000000F01FEC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00F73955B96A9404D8A3C1779247B2F6
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00F73955B96A9404D8A3C1779247B2F6.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12341rg
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12345db
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1E9B8ABDFF6C42645989373D4BA19030
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1E9B8ABDFF6C42645989373D4BA19030.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2ED6163159790194C839084DA50F6985
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2ED6163159790194C839084DA50F6985.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_40000813683699945A9115F8D2878D0F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_40000813683699945A9115F8D2878D0F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4255D12C079AAF24CAA8958B7CDCAC13
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4255D12C079AAF24CAA8958B7CDCAC13.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_467B7D4A04144D1188BE0005AD53970C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_467B7D4A04144D1188BE0005AD53970C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_49267C102FC867A4DAB799858FFF442E
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_49267C102FC867A4DAB799858FFF442E.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4EA42A62D9304AC4784BF238120611FF
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4EA42A62D9304AC4784BF238120611FF.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F4A3A23297B6D117AA8000B0D510005
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F4A3A23297B6D117AA8000B0D510005.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F4A3A23297B6D117AA8000B0D610003
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F4A3A23297B6D117AA8000B0D610003.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5958188336CB2E84D8646BFAC4023A46
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5958188336CB2E84D8646BFAC4023A46.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D1DB9BEBFD84C8429B701BB74AC953B
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D1DB9BEBFD84C8429B701BB74AC953B.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D524000B96C20C449D3371753618DFE
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D524000B96C20C449D3371753618DFE.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D95BCE0CF3A16D4DAB3C66E973B8F25
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D95BCE0CF3A16D4DAB3C66E973B8F25.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6435F4D4A4E75B043978DF6B813175CF
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6435F4D4A4E75B043978DF6B813175CF.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A9000000020
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A9000000020.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6BEBA8322D247DD49982ED481315C916
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6BEBA8322D247DD49982ED481315C916.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6DA33BBB7FCB20046B0AD66C97EAC581
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6DA33BBB7FCB20046B0AD66C97EAC581.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_76C8AE3B281C5E04CB7CF631D24AA6DA
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_76C8AE3B281C5E04CB7CF631D24AA6DA.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410200
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410200.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510006
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510006.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510009
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510009.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D511000
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D511000.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D511001
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D511001.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610001
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610001.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610002
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610002.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610003
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610003.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610007
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610007.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8F52BEF2BC3C2A94EA97ED71FFFA5B9D
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8F52BEF2BC3C2A94EA97ED71FFFA5B9D.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_995E0B7F411C3944CBD48DCFC7BBBABB
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_995E0B7F411C3944CBD48DCFC7BBBABB.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9D9A6619D2AF39243AA160DAB07EDD05
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9D9A6619D2AF39243AA160DAB07EDD05.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CC5328CDA5D323D449EB2E0F1A479902
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CC5328CDA5D323D449EB2E0F1A479902.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D20352A90C039D93DBF6126ECE614057
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D20352A90C039D93DBF6126ECE614057.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D2B8EFA4DB970C849BFD979AD29B812E
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D2B8EFA4DB970C849BFD979AD29B812E.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E3756CFDD4216204FB4A4B339C3DFF12
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E3756CFDD4216204FB4A4B339C3DFF12.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EA288263A04E53442B41460236C404F1
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EA288263A04E53442B41460236C404F1.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 17:56 . 2009-05-25 17:56 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-25 17:44 . 2009-05-25 17:52 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-25 17:44 . 2009-05-25 17:44 -------- d-----w c:\program files\NOS
2009-05-25 17:44 . 2009-03-03 18:53 17464 ----a-w c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\unb1k4is.Default User\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg.exe
2009-05-25 17:44 . 2009-03-03 18:53 12792 ----a-w c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\unb1k4is.Default User\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg_bootstrap.exe
2009-05-25 17:44 . 2009-03-03 18:53 109420 ----a-w c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\unb1k4is.Default User\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
2009-05-24 18:21 . 2009-05-24 18:21 -------- d-----w c:\documents and settings\Chris\Local Settings\Application Data\Help
2009-05-24 02:15 . 2008-04-14 00:12 116224 -c--a-w c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-24 02:15 . 2001-08-18 02:36 23040 -c--a-w c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-24 02:15 . 2008-04-14 00:12 18944 -c--a-w c:\windows\system32\dllcache\xrxscnui.dll
2009-05-24 02:15 . 2001-08-18 02:37 4608 -c--a-w c:\windows\system32\dllcache\xrxflnch.exe
2009-05-24 02:15 . 2001-08-18 02:37 27648 -c--a-w c:\windows\system32\dllcache\xrxftplt.exe
2009-05-24 02:15 . 2001-08-18 02:37 99865 -c--a-w c:\windows\system32\dllcache\xlog.exe
2009-05-24 02:15 . 2001-08-17 16:11 16970 -c--a-w c:\windows\system32\dllcache\xem336n5.sys
2009-05-24 02:15 . 2004-08-04 05:29 19455 -c--a-w c:\windows\system32\dllcache\wvchntxx.sys
2009-05-24 02:15 . 2004-08-04 05:29 12063 -c--a-w c:\windows\system32\dllcache\wsiintxx.sys
2009-05-24 02:15 . 2008-04-13 18:36 8832 -c--a-w c:\windows\system32\dllcache\wmiacpi.sys
2009-05-24 02:15 . 2001-08-17 16:12 34890 -c--a-w c:\windows\system32\dllcache\wlandrv2.sys
2009-05-24 02:13 . 2001-08-18 02:36 31744 -c--a-w c:\windows\system32\dllcache\tp4.dll
2009-05-24 02:12 . 2001-07-21 18:29 161568 -c--a-w c:\windows\system32\dllcache\sgsmusb.sys
2009-05-24 02:11 . 2001-08-18 02:36 121344 -c--a-w c:\windows\system32\dllcache\phvfwext.dll
2009-05-24 02:10 . 2001-08-17 17:48 12416 -c--a-w c:\windows\system32\dllcache\msriffwv.sys
2009-05-24 02:09 . 2008-04-13 18:39 14592 -c--a-w c:\windows\system32\dllcache\kbdhid.sys
2009-05-24 02:08 . 2001-08-17 17:28 50751 -c--a-w c:\windows\system32\dllcache\hsf_tone.sys
2009-05-24 02:07 . 2001-08-17 17:50 144896 -c--a-w c:\windows\system32\dllcache\epcfw2k.sys
2009-05-24 02:06 . 2001-08-17 17:52 14976 -c--a-w c:\windows\system32\dllcache\cpqarray.sys
2009-05-24 02:05 . 2001-08-18 02:36 9728 -c--a-w c:\windows\system32\dllcache\brserif.dll
2009-05-23 18:47 . 2009-05-24 00:36 -------- d--h--w C:\$AVG8.VAULT$
2009-05-22 22:22 . 2009-05-24 01:55 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-22 03:16 . 2009-05-22 03:16 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-20 03:15 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-18 03:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-18 02:41 . 2009-05-18 02:41 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-27 11:57 . 2009-04-27 11:57 -------- d-----w c:\documents and settings\All Users\Application Data\Ubisoft
2009-04-27 11:54 . 2009-04-27 11:54 -------- d-----w c:\program files\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 18:39 . 2008-01-08 11:07 -------- d-----w c:\documents and settings\Chris\Application Data\OpenOffice.org2
2009-05-24 18:21 . 2008-11-28 21:24 -------- d-----w c:\program files\Security Task Manager
2009-05-18 07:05 . 2005-08-16 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-18 02:42 . 2008-07-22 02:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-17 11:59 . 2005-03-09 02:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-15 16:06 . 2009-04-15 16:06 -------- d-----w c:\program files\Coupons
2009-04-06 19:32 . 2008-11-28 21:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-11-28 21:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 02:11 . 2009-04-13 22:16 65536 ----a-w c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\u7qgpesh.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll
2009-03-15 14:40 . 2009-03-15 14:39 4373808 ----a-w c:\documents and settings\All Users\Application Data\TaxCut\2008\Downloads\TaxCutNC.exe
2009-03-14 13:31 . 2009-03-14 13:28 27655688 ----a-w c:\documents and settings\All Users\Application Data\TaxCut\2008\Update\US62016801cupd.exe
2009-03-06 14:22 . 2002-08-29 20:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 03:32 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 18:33 . 2009-02-28 18:30 23269896 ----a-w c:\documents and settings\All Users\Application Data\TaxCut\2008\Update\US53016201cupd.exe
2005-09-15 23:26 . 2005-11-27 02:54 44153 ----a-w c:\program files\mozilla firefox\components\inspector.dll
.

------- Sigcheck -------

[7] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 30A9710C7F48391C0D6A4AA7031EC914 c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 30A9710C7F48391C0D6A4AA7031EC914 c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-05-24_04.25.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-25 18:39 . 2009-05-25 18:39 16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
+ 2006-04-10 17:00 . 2008-03-20 22:06 1480232 c:\windows\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 86016]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-23 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-23 610304]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-21 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-06 88267]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2005-03-23 339968]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2005-2-1 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= "c:\windows\system32\RadExe.dll" [2005-04-28 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-03-24 19:26 110592 ----a-w c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMAgent.exe"=

R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/28/2009 2:17 PM 317440]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [10/16/2004 11:03 PM 26240]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [10/17/2004 7:55 PM 171520]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/25/2009 1:44 PM 33176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} - hxxp://imagelab.bestbuy.com/en/ulcontrolxp.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\unb1k4is.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSqueak.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 16:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?6?2?7??p???? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1993962763-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{44EA44BF-20C5-CBDF-55A0-7BC3D5037DBA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaehengdeghmfdlfcilh"=hex:6a,61,66,6d,64,6b,6a,6c,65,6b,66,6c,6d,6d,6a,6b,64,
6a,70,65,00,88
"iaokcocfiojpgpgfjl"=hex:6a,61,6c,6d,64,6a,70,65,6d,64,62,6a,63,62,64,64,6b,70,
63,6b,00,17
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-05-25 16:15
ComboFix-quarantined-files.txt 2009-05-25 20:15
ComboFix2.txt 2009-05-24 23:21
ComboFix3.txt 2009-05-24 04:27
ComboFix4.txt 2009-05-21 02:00

Pre-Run: 8,285,196,288 bytes free
Post-Run: 8,273,256,448 bytes free

309 --- E O F --- 2009-05-18 07:06


Some quick browsing didn't show any redirects.

Also, I can now get to firefox download pages, which were always failing (being blocked?) before.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:33 PM

Posted 25 May 2009 - 04:20 PM

Can you update things like your AVG now?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 cbiz

cbiz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 25 May 2009 - 09:34 PM

Hmm. Still no redirecting noticed in either firefox or IE. But, no, oddly I still can't update AVG. I'm installing it from scratch, and when it gets to the upgrade section, it just hangs indefinately. The other similar situation that I had noticed before (and just verified is still true) is that the ESET online scanner fails with an "Unexpected Error 103".

Chris




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users