Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trouble with google redirects


  • This topic is locked This topic is locked
11 replies to this topic

#1 hawkus1

hawkus1

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 18 August 2009 - 09:11 PM

I was hit with an unknown virus or trojan recently , used malwarebytes antimalware to disinfect , did a scan with spybot , and did a virus and spyware scan , however redirects from google searches still continue.

Please help
Thanks in advance
hawkus1


DDS (Ver_09-07-30.01) - NTFSx86
Run by Admin at 21:22:21.04 on Tue 08/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1300 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB6438] command.com /c del "c:\windows\system32\drivers\vsfoceyprdupts.sys"
uRunOnce: [SpybotDeletingD7633] cmd.exe /c del "c:\windows\system32\drivers\vsfoceyprdupts.sys"
uRunOnce: [SpybotDeletingB271] command.com /c del "c:\windows\system32\vsfocedoyxvmlh.dll"
uRunOnce: [SpybotDeletingD1291] cmd.exe /c del "c:\windows\system32\vsfocedoyxvmlh.dll"
uRunOnce: [SpybotDeletingB3018] command.com /c del "c:\windows\system32\vsfoceyujoetny.dll"
uRunOnce: [SpybotDeletingD9546] cmd.exe /c del "c:\windows\system32\vsfoceyujoetny.dll"
uRunOnce: [SpybotDeletingB9275] command.com /c del "c:\windows\system32\vsfocemudtrmlq.dat"
uRunOnce: [SpybotDeletingD6788] cmd.exe /c del "c:\windows\system32\vsfocemudtrmlq.dat"
uRunOnce: [SpybotDeletingB9917] command.com /c del "c:\windows\system32\vsfoceorvdllrl.dat"
uRunOnce: [SpybotDeletingD6230] cmd.exe /c del "c:\windows\system32\vsfoceorvdllrl.dat"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CaPPcl] c:\program files\ca\ca internet security suite\ca anti-spyware\CAAntiSpyware.exe /scan /startup
mRunOnce: [SpybotDeletingA7853] command.com /c del "c:\windows\system32\drivers\vsfoceyprdupts.sys"
mRunOnce: [SpybotDeletingC7496] cmd.exe /c del "c:\windows\system32\drivers\vsfoceyprdupts.sys"
mRunOnce: [SpybotDeletingA3459] command.com /c del "c:\windows\system32\vsfocedoyxvmlh.dll"
mRunOnce: [SpybotDeletingC7358] cmd.exe /c del "c:\windows\system32\vsfocedoyxvmlh.dll"
mRunOnce: [SpybotDeletingA4527] command.com /c del "c:\windows\system32\vsfoceyujoetny.dll"
mRunOnce: [SpybotDeletingC3741] cmd.exe /c del "c:\windows\system32\vsfoceyujoetny.dll"
mRunOnce: [SpybotDeletingA3816] command.com /c del "c:\windows\system32\vsfocemudtrmlq.dat"
mRunOnce: [SpybotDeletingC6427] cmd.exe /c del "c:\windows\system32\vsfocemudtrmlq.dat"
mRunOnce: [SpybotDeletingA9958] command.com /c del "c:\windows\system32\vsfoceorvdllrl.dat"
mRunOnce: [SpybotDeletingC5760] cmd.exe /c del "c:\windows\system32\vsfoceorvdllrl.dat"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204755891203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204755883296
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: c:\windows\system32\rserver30\r3god.dll,c:\program,files\relevantknowledge\rlai.dll,c:\program,files\relevantknowledge\rlai.dll,c:\program files\relevantknowledge\rlai.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-07-25 01:09 10,240 a--sh--- c:\windows\rnapxs\rnapxs.dat
2008-07-18 04:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071820080719\index.dat

============= FINISH: 21:24:07.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:20 AM

Posted 30 August 2009 - 07:32 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 hawkus1

hawkus1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 31 August 2009 - 12:48 PM

Thank you for replying to my post :

To the best of my knowledge i was hit with the virtumundo virus , not 100% sure it was that specifically , however a rouge spyware program "antivirus pro 2010" did try to install itself on my computer. Thats when i ran my last dds scan and post from before.

"Posted Aug 18 2009, 10:11 PM
I was hit with an unknown virus or trojan recently , used malwarebytes antimalware to disinfect , did a scan with spybot , and did a virus and spyware scan , however redirects from google searches still continue ..."

Here is the new dds scan :



DDS (Ver_09-07-30.01) - NTFSx86
Run by Admin at 13:31:40.26 on Mon 08/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1025 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page =
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mLocal Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CaPPcl] c:\program files\ca\ca internet security suite\ca anti-spyware\CAAntiSpyware.exe /scan /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204755891203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204755883296
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\tds6fo3q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=IMC-FF&qry=
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tds6fo3q.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-6-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-6-24 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-28 26376]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-28 21128]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-28 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-28 21512]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-28 32264]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-7-25 144960]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-5-24 14976]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2008-1-21 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2008-1-21 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-6-24 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-7-25 242952]
R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [2008-7-25 811008]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-17 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-28 108368]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-22 1684736]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys --> c:\windows\system32\drivers\ramirr.sys [?]
S3 WinPhlash;WinPhlash;\??\c:\docume~1\admin\locals~1\temp\rarsfx0\s10vwf\phlashnt.sys --> c:\docume~1\admin\locals~1\temp\rarsfx0\s10vwf\PHLASHNT.SYS [?]
S4 RARfsClientNP;RARfsClientNP; [x]

=============== Created Last 30 ================

2009-08-26 02:54 <DIR> --d----- c:\program files\URUSoft
2009-08-26 02:03 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-08-26 02:03 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-08-26 02:03 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-08-26 02:03 <DIR> --d----- c:\program files\ffdshow
2009-08-19 16:01 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-18 17:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-18 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-18 00:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-18 00:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-18 00:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-17 23:47 <DIR> --d----- c:\program files\Trend Micro
2009-08-17 15:46 <DIR> a-d----- c:\windows\system32\images
2009-08-16 01:53 <DIR> --d----- C:\Mp3's
2009-08-12 17:17 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 17:17 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-08-12 17:17 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 17:17 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 17:17 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-08-12 17:17 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 17:16 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 17:15 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:43 <DIR> --d----- c:\program files\CDisplay
2009-08-06 16:46 86,287 a------- c:\windows\system32\WinUpdateMan.exe
2009-08-06 13:48 16,384 a------- c:\windows\system32\Msdirectx.exe

==================== Find3M ====================

2009-08-29 12:20 154,960 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-08-29 12:20 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-08-29 12:20 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-08-29 12:20 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-08-29 12:20 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-08-29 12:20 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-08-29 12:20 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-08-29 12:20 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-08-16 23:41 2,855 a------- c:\windows\pif\ghost.PIF
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-09 23:10 87,608 a------- c:\docume~1\admin\applic~1\inst.exe
2009-05-09 23:10 47,360 a------- c:\docume~1\admin\applic~1\pcouffin.sys
2008-07-25 01:09 10,240 a--sh--- c:\windows\rnapxs\rnapxs.dat
2008-07-18 04:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071820080719\index.dat

============= FINISH: 13:33:44.12 ===============

I have also included the attach.txt in attachment.

thanx in advance
hawkus1

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 04 September 2009 - 12:16 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 hawkus1

hawkus1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 05 September 2009 - 07:04 PM

Thanx for the reply , The only changes I have made lately is to add spybot sandd and spyware blaster to my computer to try and ward off future infections. As of late the redirects have stopped but the spyware scanner on my comp has been detecting additional spyware since this all started heres a log of the quarantine report :

CA Anti-Spyware Quarantined Spyware Report
This report was generated on: 9/5/2009-7:55:28 PM

9/5/2009 7:46:07 PM <<20090905234607>>
() Bifrost
hkey_users \s-1-5-21-861567501-515967899-1417001333-1003\software\wget

() WinSpywareProtect
hkey_users \s-1-5-21-861567501-515967899-1417001333-1003\software\microsoft\windows\currentversion\drivers

() WinAntiVirus Pro 2006
hkey_classes_root \*\shellex\contextmenuhandlers\shellextension

9/5/2009 7:46:07 PM <<20090905234607>>
***End Report***



Here are the logs as requested :

ComboFix 09-09-05.01 - Admin 09/05/2009 17:00.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1360 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\inst.exe
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\windows\Installer\c2b849.msi
c:\windows\Installer\SwInstall.msi
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_vsfoceqpsxmqww
-------\Service_vsfoceqpsxmqww


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-08-26 06:54 . 2009-08-27 04:54 -------- d-----w- c:\program files\URUSoft
2009-08-26 06:03 . 2008-12-17 23:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-26 06:03 . 2008-12-11 17:26 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-26 06:03 . 2009-08-26 06:03 -------- d-----w- c:\program files\ffdshow
2009-08-19 23:53 . 2009-08-19 23:55 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-19 20:01 . 2009-08-31 17:27 -------- d-----w- c:\program files\SpywareBlaster
2009-08-18 21:52 . 2009-08-18 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 21:52 . 2009-08-18 21:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-18 04:30 . 2009-08-18 05:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 04:28 . 2009-08-18 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-18 04:28 . 2009-08-18 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-18 03:47 . 2009-08-18 03:47 -------- d-----w- c:\program files\Trend Micro
2009-08-16 05:53 . 2009-08-20 04:57 -------- d-----w- C:\Mp3's
2009-08-12 21:17 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 21:17 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 21:17 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 21:17 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 21:17 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-08-12 21:17 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 21:15 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 23:43 . 2009-08-10 23:43 -------- d-----w- c:\program files\CDisplay
2009-08-07 05:03 . 2009-09-05 03:55 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 21:05 . 2008-07-25 05:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-09-05 21:05 . 2008-07-25 05:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-09-05 21:05 . 2008-07-25 05:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-09-05 21:05 . 2008-07-25 05:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-09-05 21:05 . 2008-07-25 05:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-09-05 21:05 . 2008-07-25 05:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-09-05 21:05 . 2008-07-25 05:32 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-09-05 21:05 . 2008-07-25 05:32 154960 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-09-03 17:48 . 2009-05-10 03:10 -------- d-----w- c:\documents and settings\Admin\Application Data\Vso
2009-09-01 02:58 . 2009-06-19 20:45 -------- d-----w- c:\documents and settings\Admin\Application Data\GrabIt
2009-08-31 17:28 . 2008-11-10 02:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-30 01:50 . 2008-07-18 09:08 -------- d-----w- c:\documents and settings\Admin\Application Data\dvdcss
2009-08-29 22:36 . 2009-06-01 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-26 19:35 . 2009-05-09 21:00 -------- d-----w- c:\documents and settings\Admin\Application Data\mIRC
2009-08-26 19:26 . 2009-05-13 03:13 -------- d-----w- c:\program files\mIRC
2009-08-20 04:44 . 2009-05-15 06:34 -------- d-----w- c:\program files\Romcenter
2009-08-20 04:17 . 2009-07-02 04:24 -------- d-----w- c:\documents and settings\Admin\Application Data\IGN_DLM
2009-08-18 04:28 . 2008-03-05 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-17 23:30 . 2008-03-05 21:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 23:24 . 2009-06-22 20:24 -------- d-----w- c:\program files\Steam
2009-08-17 02:49 . 2009-06-01 21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 07:09 . 2008-03-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-06 20:46 . 2009-08-06 20:46 86287 ----a-w- c:\windows\system32\WinUpdateMan.exe
2009-08-06 17:48 . 2009-08-06 17:48 16384 ----a-w- c:\windows\system32\Msdirectx.exe
2009-08-05 09:01 . 2004-08-04 05:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-06-01 21:31 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-01 21:31 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 12:35 . 2008-07-19 22:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 02:31 . 2009-07-31 02:31 -------- d-----w- c:\program files\CDex_150
2009-07-29 17:44 . 2009-07-29 17:44 -------- d-----w- c:\program files\The Learning Company
2009-07-17 19:01 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2007-01-17 23:03 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 23:27 . 2009-07-13 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{9E3A8735-9ABB-468A-A982-A50862FC9AB3}
2009-07-13 23:26 . 2009-07-13 23:26 -------- d-----w- c:\documents and settings\Admin\Application Data\Seven Zip
2009-07-03 17:09 . 2007-10-14 10:38 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2007-10-14 10:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2007-10-14 10:34 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-04 05:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-05-10 16:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 05:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-03-05 20:52 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2007-10-14 10:37 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-07-25 05:09 . 2008-07-25 05:09 10240 --sha-w- c:\windows\rnapxs\rnapxs.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-31 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-31 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-01 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-01-28 14088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CaPPcl"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe" [2007-08-17 410888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-21 06:57 176128 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 21:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 10:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 10:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 10:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 10:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 10:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 10:08 PM 66576]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [5/24/2009 8:03 PM 14976]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [1/21/2008 4:54 PM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [1/21/2008 4:54 PM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 10:10 PM 281104]
R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [7/25/2008 1:09 AM 811008]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 10:08 PM 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/17/2007 12:10 AM 189704]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 11:53 PM 1684736]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [11/1/2006 8:01 AM 3328]
S3 ramirr;ramirr;c:\windows\system32\DRIVERS\ramirr.sys --> c:\windows\system32\DRIVERS\ramirr.sys [?]
S3 WinPhlash;WinPhlash;\??\c:\docume~1\Admin\LOCALS~1\Temp\RarSFX0\S10VWF\PHLASHNT.SYS --> c:\docume~1\Admin\LOCALS~1\Temp\RarSFX0\S10VWF\PHLASHNT.SYS [?]
S4 RARfsClientNP;RARfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\CAAntiSpywareScan_Daily as Admin at 4 00 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 04:10]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-NavLogon - (no file)
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.google.com/
mLocal Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tds6fo3q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=IMC-FF&qry=
FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tds6fo3q.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,a7,9d,1e,e7,9b,2c,44,b6,8c,82,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,a7,9d,1e,e7,9b,2c,44,b6,8c,82,\

[HKEY_USERS\S-1-5-21-861567501-515967899-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,a4,fe,cd,2d,a8,de,8e,32,83,61,d8,58,d5,99,9a,64,d6,ed,9b,65,9c,1d,
96,c9,19,32,26,56,cf,6f,2a,d2,8b,7b,9a,0d,25,32,5e,fc,ee,7d,27,56,13,d7,a0,\
"??"=hex:02,02,e8,ba,26,ea,73,8e,8b,54,a9,cd,69,28,24,bb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1636)
c:\windows\system32\UmxWnp.Dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1872)
c:\windows\system32\winsflt.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(2088)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
.
**************************************************************************
.
Completion time: 2009-09-05 17:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 21:16

Pre-Run: 60,110,057,472 bytes free
Post-Run: 59,975,954,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

305 --- E O F --- 2009-08-26 07:00

Attached Files

  • Attached File  log.txt   20KB   1 downloads
  • Attached File  gmer.log   216.54KB   1 downloads

Edited by PropagandaPanda, 05 September 2009 - 07:38 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 05 September 2009 - 07:45 PM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/250699/trouble-with-google-redirects/
    
    Suspect::[59]
    c:\windows\system32\WinUpdateMan.exe
    c:\windows\rnapxs\rnapxs.dat
    
    DirLook::
    c:\windows\rnapxs
    
    File::
    c:\windows\system32\drivers\kmxcfg.u2k7
    c:\windows\system32\drivers\kmxcfg.u2k6
    c:\windows\system32\drivers\kmxcfg.u2k5
    c:\windows\system32\drivers\kmxcfg.u2k4
    c:\windows\system32\drivers\kmxcfg.u2k3
    c:\windows\system32\drivers\kmxcfg.u2k2
    c:\windows\system32\drivers\kmxcfg.u2k1
    c:\windows\system32\drivers\kmxcfg.u2k0
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
    "DisableMonitoring"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
    "DisableMonitoring"=-
    
    Driver::
    ramirr
    WinPhlash
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simply double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
With Regards,
The Panda

#7 hawkus1

hawkus1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 08 September 2009 - 12:27 PM

The latest logs you requested.

thanx again
hawkus1

ComboFix 09-09-05.03 - Admin 09/06/2009 8:46.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1220 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

FILE ::
"c:\windows\system32\drivers\kmxcfg.u2k0"
"c:\windows\system32\drivers\kmxcfg.u2k1"
"c:\windows\system32\drivers\kmxcfg.u2k2"
"c:\windows\system32\drivers\kmxcfg.u2k3"
"c:\windows\system32\drivers\kmxcfg.u2k4"
"c:\windows\system32\drivers\kmxcfg.u2k5"
"c:\windows\system32\drivers\kmxcfg.u2k6"
"c:\windows\system32\drivers\kmxcfg.u2k7"

file zipped: c:\windows\rnapxs\rnapxs.dat
file zipped: c:\windows\system32\WinUpdateMan.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kmxcfg.u2k0
c:\windows\system32\drivers\kmxcfg.u2k1
c:\windows\system32\drivers\kmxcfg.u2k2
c:\windows\system32\drivers\kmxcfg.u2k3
c:\windows\system32\drivers\kmxcfg.u2k4
c:\windows\system32\drivers\kmxcfg.u2k5
c:\windows\system32\drivers\kmxcfg.u2k6
c:\windows\system32\drivers\kmxcfg.u2k7

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINPHLASH
-------\Service_ramirr
-------\Service_WinPhlash


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-08-26 06:54 . 2009-08-27 04:54 -------- d-----w- c:\program files\URUSoft
2009-08-26 06:03 . 2008-12-17 23:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-26 06:03 . 2008-12-11 17:26 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-26 06:03 . 2009-08-26 06:03 -------- d-----w- c:\program files\ffdshow
2009-08-19 23:53 . 2009-08-19 23:55 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-19 20:01 . 2009-09-06 00:11 -------- d-----w- c:\program files\SpywareBlaster
2009-08-18 21:52 . 2009-08-18 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 21:52 . 2009-08-18 21:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-18 04:30 . 2009-08-18 05:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 04:28 . 2009-08-18 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-18 04:28 . 2009-08-18 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-18 03:47 . 2009-08-18 03:47 -------- d-----w- c:\program files\Trend Micro
2009-08-16 05:53 . 2009-08-20 04:57 -------- d-----w- C:\Mp3's
2009-08-12 21:17 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 21:17 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 21:17 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 21:17 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 21:17 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-08-12 21:17 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 21:15 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 23:43 . 2009-08-10 23:43 -------- d-----w- c:\program files\CDisplay

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 00:11 . 2008-11-10 02:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-05 03:55 . 2009-08-07 05:03 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2009-09-03 17:48 . 2009-05-10 03:10 -------- d-----w- c:\documents and settings\Admin\Application Data\Vso
2009-09-01 02:58 . 2009-06-19 20:45 -------- d-----w- c:\documents and settings\Admin\Application Data\GrabIt
2009-08-30 01:50 . 2008-07-18 09:08 -------- d-----w- c:\documents and settings\Admin\Application Data\dvdcss
2009-08-29 22:36 . 2009-06-01 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-26 19:35 . 2009-05-09 21:00 -------- d-----w- c:\documents and settings\Admin\Application Data\mIRC
2009-08-26 19:26 . 2009-05-13 03:13 -------- d-----w- c:\program files\mIRC
2009-08-20 04:44 . 2009-05-15 06:34 -------- d-----w- c:\program files\Romcenter
2009-08-20 04:17 . 2009-07-02 04:24 -------- d-----w- c:\documents and settings\Admin\Application Data\IGN_DLM
2009-08-18 04:28 . 2008-03-05 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-17 23:30 . 2008-03-05 21:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 23:24 . 2009-06-22 20:24 -------- d-----w- c:\program files\Steam
2009-08-17 02:49 . 2009-06-01 21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 07:09 . 2008-03-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-06 20:46 . 2009-08-06 20:46 86287 ----a-w- c:\windows\system32\WinUpdateMan.exe
2009-08-06 17:48 . 2009-08-06 17:48 16384 ----a-w- c:\windows\system32\Msdirectx.exe
2009-08-05 09:01 . 2004-08-04 05:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-06-01 21:31 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-01 21:31 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 12:35 . 2008-07-19 22:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 02:31 . 2009-07-31 02:31 -------- d-----w- c:\program files\CDex_150
2009-07-29 17:44 . 2009-07-29 17:44 -------- d-----w- c:\program files\The Learning Company
2009-07-17 19:01 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2007-01-17 23:03 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 23:27 . 2009-07-13 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{9E3A8735-9ABB-468A-A982-A50862FC9AB3}
2009-07-13 23:26 . 2009-07-13 23:26 -------- d-----w- c:\documents and settings\Admin\Application Data\Seven Zip
2009-07-03 17:09 . 2007-10-14 10:38 915456 ------w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2007-10-14 10:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2007-10-14 10:34 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-04 05:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-05-10 16:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 05:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-03-05 20:52 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2007-10-14 10:37 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-07-25 05:09 . 2008-07-25 05:09 10240 --sha-w- c:\windows\rnapxs\rnapxs.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\rnapxs ----

2009-09-06 12:27 . 2009-09-06 12:45 11787 ----a-w- c:\windows\rnapxs\logs\20090906.plf
2009-09-05 05:50 . 2009-09-06 03:24 416680 ----a-w- c:\windows\rnapxs\logs\20090905.plf
2009-09-05 00:53 . 2009-09-05 06:07 1704141 ----a-w- c:\windows\rnapxs\logs\20090904.plf
2009-09-03 11:34 . 2009-09-04 04:50 1433230 ----a-w- c:\windows\rnapxs\logs\20090903.plf
2009-09-02 21:03 . 2009-09-03 04:41 1011438 ----a-w- c:\windows\rnapxs\logs\20090902.plf
2009-09-01 17:02 . 2009-09-02 00:34 573069 ----a-w- c:\windows\rnapxs\logs\20090901.plf
2009-08-31 16:07 . 2009-09-01 05:50 1290149 ----a-w- c:\windows\rnapxs\logs\20090831.plf
2009-08-30 15:53 . 2009-08-30 16:00 5013 ----a-w- c:\windows\rnapxs\logs\20090830.plf
2009-08-29 05:14 . 2009-08-29 05:14 164 ----a-w- c:\windows\rnapxs\logs\20090828.plf
2009-08-29 05:05 . 2009-08-30 04:21 172403 ----a-w- c:\windows\rnapxs\logs\20090829.plf
2009-08-28 06:05 . 2009-08-28 06:27 8950 ----a-w- c:\windows\rnapxs\logs\20090827.plf
2009-08-26 07:56 . 2009-08-27 05:11 875954 ----a-w- c:\windows\rnapxs\logs\20090826.plf
2009-08-25 14:28 . 2009-08-26 06:53 1555930 ----a-w- c:\windows\rnapxs\logs\20090825.plf
2009-08-24 20:04 . 2009-08-25 06:29 369029 ----a-w- c:\windows\rnapxs\logs\20090824.plf
2009-08-23 17:21 . 2009-08-24 00:24 375595 ----a-w- c:\windows\rnapxs\logs\20090823.plf
2009-08-23 04:17 . 2009-08-23 04:30 7476 ----a-w- c:\windows\rnapxs\logs\20090822.plf
2009-08-21 14:22 . 2009-08-22 03:23 1022976 ----a-w- c:\windows\rnapxs\logs\20090821.plf
2009-08-20 22:55 . 2009-08-21 01:16 591454 ----a-w- c:\windows\rnapxs\logs\20090820.plf
2009-08-19 04:16 . 2009-08-20 04:22 727809 ----a-w- c:\windows\rnapxs\logs\20090819.plf
2009-08-18 05:14 . 2009-08-19 05:17 875428 ----a-w- c:\windows\rnapxs\logs\20090818.plf
2009-08-17 19:28 . 2009-08-18 06:22 1525067 ----a-w- c:\windows\rnapxs\logs\20090817.plf
2009-08-16 06:23 . 2009-08-17 05:07 662862 ----a-w- c:\windows\rnapxs\logs\20090816.plf
2009-08-16 01:23 . 2009-08-16 06:59 98032 ----a-w- c:\windows\rnapxs\logs\20090815.plf
2009-08-13 13:30 . 2009-08-14 00:17 1481817 ----a-w- c:\windows\rnapxs\logs\20090813.plf
2009-08-12 04:02 . 2009-08-13 04:53 938435 ----a-w- c:\windows\rnapxs\logs\20090812.plf
2009-08-12 00:26 . 2009-08-12 04:16 138305 ----a-w- c:\windows\rnapxs\logs\20090811.plf
2009-08-10 14:54 . 2009-08-11 00:17 1639996 ----a-w- c:\windows\rnapxs\logs\20090810.plf
2009-08-09 16:04 . 2009-08-10 04:50 167114 ----a-w- c:\windows\rnapxs\logs\20090809.plf
2009-08-08 07:06 . 2009-08-08 21:09 193971 ----a-w- c:\windows\rnapxs\logs\20090808.plf
2009-08-07 12:38 . 2009-08-07 12:38 0 ----a-w- c:\windows\rnapxs\logs\20090807.plf
2008-12-25 04:45 . 2009-09-06 12:34 149737472 ----a-w- c:\windows\rnapxs\CSDK\urlcache\urlCacheDb.idx
2008-07-25 05:43 . 2008-07-25 05:43 48 ----a-w- c:\windows\rnapxs\ulist\l2.ps
2008-07-25 05:36 . 2009-09-06 01:34 16265216 ----a-w- c:\windows\rnapxs\CSDK\urlcache\urlCacheDb.dat
2008-07-25 05:36 . 2009-09-06 01:34 5607424 ----a-w- c:\windows\rnapxs\CSDK\urlcache\domainNames.idx
2008-07-25 05:36 . 2009-09-06 01:34 3125248 ----a-w- c:\windows\rnapxs\CSDK\urlcache\domainNames.dat
2008-07-25 05:09 . 2008-07-25 05:09 10240 --sha-w- c:\windows\rnapxs\rnapxs.dat
2008-07-25 05:09 . 2008-11-04 13:13 5200389 ----a-w- c:\windows\rnapxs\StLst\icnStLst
2008-07-25 05:09 . 2007-03-07 20:56 12047 ----a-w- c:\windows\rnapxs\CSDK\data\dic
2008-07-25 05:09 . 2007-03-07 20:56 191 ----a-w- c:\windows\rnapxs\CSDK\data\enc
2008-07-25 05:09 . 2007-03-07 20:56 1708978 ----a-w- c:\windows\rnapxs\CSDK\data\n01
2008-07-25 05:09 . 2007-03-07 20:56 2028519 ----a-w- c:\windows\rnapxs\CSDK\data\n00


((((((((((((((((((((((((((((( SnapShot@2009-09-05_21.09.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-06 12:53 . 2009-09-06 12:53 16384 c:\windows\temp\Perflib_Perfdata_344.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-31 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-31 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-01 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-01-28 14088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CaPPcl"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe" [2007-08-17 410888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-21 06:57 176128 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 21:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 10:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 10:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 10:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 10:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 10:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 10:08 PM 66576]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [5/24/2009 8:03 PM 14976]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [1/21/2008 4:54 PM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [1/21/2008 4:54 PM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 10:10 PM 281104]
R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [7/25/2008 1:09 AM 811008]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 10:08 PM 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/17/2007 12:10 AM 189704]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 11:53 PM 1684736]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [11/1/2006 8:01 AM 3328]
S4 RARfsClientNP;RARfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\CAAntiSpywareScan_Daily as Admin at 4 00 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 04:10]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.google.com/
mLocal Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tds6fo3q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=IMC-FF&qry=
FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tds6fo3q.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 08:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,a7,9d,1e,e7,9b,2c,44,b6,8c,82,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,a7,9d,1e,e7,9b,2c,44,b6,8c,82,\

[HKEY_USERS\S-1-5-21-861567501-515967899-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,a4,fe,cd,2d,a8,de,8e,32,83,61,d8,58,d5,99,9a,64,d6,ed,9b,65,9c,1d,
96,c9,19,32,26,56,cf,6f,2a,d2,8b,7b,9a,0d,25,32,5e,fc,ee,7d,27,56,13,d7,a0,\
"??"=hex:02,02,e8,ba,26,ea,73,8e,8b,54,a9,cd,69,28,24,bb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1648)
c:\windows\system32\UmxWnp.Dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1880)
c:\windows\system32\winsflt.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3520)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\windows\system32\mdmcls32.exe
.
**************************************************************************
.
Completion time: 2009-09-06 9:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 13:02
ComboFix2.txt 2009-09-05 21:17

Pre-Run: 59,941,949,440 bytes free
Post-Run: 59,901,943,808 bytes free

321 --- E O F --- 2009-08-26 07:00

Attached Files


Edited by PropagandaPanda, 08 September 2009 - 04:00 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 08 September 2009 - 04:05 PM

Hello.

That looks better.

Update Java to Version 6 Update 16
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please also take a new DDS.txt log after. Any problems at the moment?

With Regards,
The Panda

#9 hawkus1

hawkus1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 09 September 2009 - 08:31 PM

Hello again pp

1. updated java to version 16

2.Ran the scan with kaspersky it found 4 infections.

There are some things im not quite understanding however:

1. Why did kaspersky say : C:\Program Files\Best Buy Games\Cake Mania 2\Super_Granny_3-setup.exe Infected: Trojan.Win32.Inject.tzf : was infected?

2. I can disable my firewall but ca antivirus only allows me to "snooze" my antivirus, is this ok for scans when you request i "temporarily" disable them?

3. Right after i ran the scan with kaspersky my ca anti virus said that combofix was quarantined : it said something to the effect of: combofix.exe is win32/SillyDl.PRR infection. quarantined

4.What exactly looked better in my last post?

5. Not exactly sure why trojans keep trying to infect my computer even after I run weekly scans with my antivirus, spyware, spybot s and d and malwarebytes scans , i figured by now id have deleted it all but they just seem relentless, I usually try to avoid most sites that would try to secretly download this stuff , im really hoping you can help me "armor up" my comp.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Admin at 20:07:11.22 on Wed 09/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1207 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page =
uStart Page = hxxp://www.google.com/
mLocal Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CaPPcl] c:\program files\ca\ca internet security suite\ca anti-spyware\CAAntiSpyware.exe /scan /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204755891203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204755883296
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\tds6fo3q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=IMC-FF&qry=
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tds6fo3q.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-6-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-6-24 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-28 26376]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-28 21128]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-28 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-28 21512]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-28 32264]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-7-25 144960]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-5-24 14976]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2008-1-21 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2008-1-21 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-6-24 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-7-25 242952]
R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [2008-7-25 811008]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-17 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-28 108368]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-22 1684736]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S4 RARfsClientNP;RARfsClientNP; [x]

=============== Created Last 30 ================

2009-09-09 16:28 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-08 23:07 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-08 13:53 156,480 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-09-08 13:53 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-09-08 13:53 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-09-08 13:53 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-09-08 13:53 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-09-08 13:53 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-09-08 13:53 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-09-08 13:53 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-09-05 16:58 <DIR> a-dshr-- C:\cmdcons
2009-09-05 16:56 230,912 a------- c:\windows\PEV.exe
2009-09-05 16:56 161,792 a------- c:\windows\SWREG.exe
2009-09-05 16:56 98,816 a------- c:\windows\sed.exe
2009-08-26 02:54 <DIR> --d----- c:\program files\URUSoft
2009-08-26 02:03 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-08-26 02:03 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-08-26 02:03 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-08-26 02:03 <DIR> --d----- c:\program files\ffdshow
2009-08-19 16:01 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-18 17:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-18 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-18 00:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-18 00:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-18 00:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-17 23:47 <DIR> --d----- c:\program files\Trend Micro
2009-08-16 01:53 <DIR> --d----- C:\Mp3's
2009-08-12 17:17 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 17:17 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-08-12 17:17 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 17:17 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 17:17 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-08-12 17:17 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 17:16 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 17:15 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-09-09 16:27 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-16 23:41 2,855 a------- c:\windows\pif\ghost.PIF
2009-08-06 16:46 86,287 a------- c:\windows\system32\WinUpdateMan.exe
2009-08-06 13:48 16,384 a------- c:\windows\system32\Msdirectx.exe
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-22 02:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-05-09 23:10 47,360 a------- c:\docume~1\admin\applic~1\pcouffin.sys
2008-07-25 01:09 10,240 a--sh--- c:\windows\rnapxs\rnapxs.dat
2008-07-18 04:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071820080719\index.dat

============= FINISH: 20:08:04.82 ===============

Attached Files


Edited by PropagandaPanda, 09 September 2009 - 08:39 PM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 09 September 2009 - 08:43 PM

Hello.

1. Why did kaspersky say : C:\Program Files\Best Buy Games\Cake Mania 2\Super_Granny_3-setup.exe Infected: Trojan.Win32.Inject.tzf : was infected?

If this is a legit game that you purchased, then it's most likely a false positive. If you has illegally downloaded, I suggest you deleted.

2. I can disable my firewall but ca antivirus only allows me to "snooze" my antivirus, is this ok for scans when you request i "temporarily" disable them?

Yes, that should suffice.

4.What exactly looked better in my last post?

By that I mean the leftovers of the infection was removed.

--
Please delete these two files manually.
C:\WINDOWS\icon_TMP\setup.bat
C:\WINDOWS\system32\WinUpdateMan.exe

Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Please now re-enable your protection.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

Edited by PropagandaPanda, 09 September 2009 - 08:43 PM.


#11 hawkus1

hawkus1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 09 September 2009 - 10:27 PM

Thanx pp

Followed your post , i'm assuming we are 99.9% sure im uninfected now correct? :thumbup2:

If so I really wanted to thank you for the help. If i could via star trek transporter , A dozen fresh glazed donuts whould be beaming into your home right now!

What should i do if i still run into problems down the road though regarding this issue , should i post a new topic or ?????

But again thanx 4 the help
hawkus1

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 10 September 2009 - 06:42 AM

Glad we could help.

There's no way to be absolutely sure, but I'd say I'm 90% sure based on your latest logs.

In the future, please start a new topic (unless you happen to discover that I missed something in the next few days).

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users