Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect (to clicksearch) - think i fixed it (?)


  • This topic is locked This topic is locked
22 replies to this topic

#1 wu88

wu88

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 15 December 2009 - 08:56 PM

Hello, found this similar topic:
http://www.bleepingcomputer.com/forums/lof...hp/t227617.html

and ran MBAM, things seem to be clean, mind taking a look at the log? Basically I search for something on google and get redirected to random sites when i click on a result. My MBAM ran with no problems. I have added the DDS log below as well as security check and MBAM before and after logs. 2 files uploaded

-------------------DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Nick at 21:12:18.75 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.490 [GMT -6:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [BJPD HID Control] "c:\program files\canon\bjpv\TVMon.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: ebay.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.mpix.com/customer/uploading/activex/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119915679578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} - hxxp://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://insite.mhhs.org/MHHS_Portal_Login_09.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-2-19 213520]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-10-6 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-8-5 93872]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-7-29 208616]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2009-9-7 1012040]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-10-4 69936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-9 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [2005-10-11 17432]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\nick\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-6-27 70144]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;c:\windows\system32\drivers\bjhid2.sys [2005-6-28 6528]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2006-8-11 49399]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 477696]

=============== Created Last 30 ================

2009-12-16 03:03:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-16 03:03:47 411368 ----a-w- c:\windows\system32\REN4D.tmp
2009-12-16 00:13:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-16 02:52:21 5140 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-16 02:52:21 1187872 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-16 01:12:57 5798944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-16 01:12:57 46384 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 00:29:08 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 20:27:05 2465 ----a-w- C:\imat.exe
2009-09-30 20:26:49 2466 ----a-w- C:\mtlff.exe
2009-09-21 23:45:30 15688 ----a-w- c:\windows\system32\lsdelete.exe

============= FINISH: 21:15:02.17 ===============


---------------------Security Check:

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Kaspersky Anti-Virus 2009
Kaspersky Anti-Virus 2009
VIPRE Antivirus + Antispyware
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
VIPRE Antivirus + Antispyware
HijackThis 2.0.2
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


------------------------and MBAM 1st:----------------------------
Malwarebytes' Anti-Malware 1.42
Database version: 3370
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/15/2009 5:42:00 PM
mbam-log-2009-12-15 (17-42-00).txt

Scan type: Quick Scan
Objects scanned: 155476
Time elapsed: 13 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Nick\Local Settings\temp\20.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\vfulg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\mqhimp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\nqxbk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\rmeprraf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\yonm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\xrwy.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\rlswn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



------------------------and MBAM ran 2nd time:----------------------------
Malwarebytes' Anti-Malware 1.42
Database version: 3370
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/15/2009 6:04:33 PM
mbam-log-2009-12-15 (18-04-33).txt

Scan type: Quick Scan
Objects scanned: 154598
Time elapsed: 13 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-also uninstalled/reinstalled adobe acrobat reader and java (had older versions)

Anything else i should do? This is a great site, has helped me out greatly in the past - thank you very much!

Nick

Attached Files


Edited by wu88, 15 December 2009 - 10:40 PM.


BC AdBot (Login to Remove)

 


#2 wu88

wu88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 15 December 2009 - 09:56 PM

OK it came back, redirecting sites from google. here is the hijackthis log as well...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:37 PM, on 12/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [BJPD HID Control] "C:\Program Files\Canon\BJPV\TVMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [2Wire Wireless Manager] "C:\Program Files\2Wire Wireless Manager\2Wire.exe" -a
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.mpix.com/customer/uploading/act...geUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119915679578
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O16 - DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} (MHHS_Login Control 2009) - https://insite.mhhs.org/MHHS_Portal_Login_09.cab
O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader57.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10211 bytes

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 28 December 2009 - 02:12 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 wu88

wu88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 29 December 2009 - 11:05 PM

Hello Elise,

Thank you for the reply! I ran combofix last week and the redirect seems to be fixed right now, but it seems like my machine is working sloooow. I would appreciate any feedback you might have....

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Nick at 17:02:01.76 on Tue 12/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.635 [GMT -6:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [BJPD HID Control] "c:\program files\canon\bjpv\TVMon.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: ebay.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.mpix.com/customer/uploading/activex/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119915679578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} - hxxp://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://insite.mhhs.org/MHHS_Portal_Login_09.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-2-19 213520]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-10-6 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-8-5 93872]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-7-29 208616]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2009-9-7 1012040]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-10-4 69936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-9 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [2005-10-11 17432]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\nick\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\nick\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;c:\windows\system32\drivers\bjhid2.sys [2005-6-28 6528]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2006-8-11 49399]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 477696]

=============== Created Last 30 ================

2009-12-20 17:19:59 77312 ----a-w- c:\windows\MBR.exe
2009-12-20 17:19:59 261632 ----a-w- c:\windows\PEV.exe
2009-12-20 17:19:59 161792 ----a-w- c:\windows\SWREG.exe
2009-12-20 17:19:58 98816 ----a-w- c:\windows\sed.exe
2009-12-16 03:03:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-16 00:13:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-27 22:30:29 5224 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-27 22:30:28 5798944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-27 22:30:28 46384 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-27 22:30:28 1212448 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-16 03:03:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 00:29:08 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-30 20:32:15 13961 ----a-w- c:\program files\common files\ipol.sys

============= FINISH: 17:03:04.12 ===============

ATTACH:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/27/2005 6:35:51 PM
System Uptime: 12/29/2009 4:45:23 PM (1 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 4.973 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is FIXED (FAT32) - 75 GiB total, 34.464 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP8: 9/30/2009 3:27:08 PM - System Checkpoint
RP9: 9/30/2009 3:27:09 PM - Software Distribution Service 3.0
RP10: 9/30/2009 3:27:09 PM - System Checkpoint
RP11: 9/30/2009 3:27:10 PM - System Checkpoint
RP12: 9/30/2009 3:27:11 PM - System Checkpoint
RP13: 9/30/2009 3:27:13 PM - System Checkpoint
RP14: 9/30/2009 3:27:14 PM - System Checkpoint
RP15: 9/30/2009 3:27:16 PM - System Checkpoint
RP16: 9/30/2009 3:27:17 PM - System Checkpoint
RP17: 9/30/2009 3:27:18 PM - System Checkpoint
RP18: 9/30/2009 3:27:18 PM - System Checkpoint
RP19: 9/30/2009 3:27:19 PM - System Checkpoint
RP20: 9/30/2009 3:27:19 PM - Software Distribution Service 3.0
RP21: 9/30/2009 3:27:20 PM - System Checkpoint
RP22: 9/30/2009 3:27:20 PM - System Checkpoint
RP23: 9/30/2009 3:27:21 PM - Installed 2WIRE Wireless LAN - USB Driver
RP24: 9/30/2009 3:27:21 PM - Installed 2Wire Wireless Manager.
RP25: 9/30/2009 3:27:21 PM - System Checkpoint
RP26: 9/30/2009 3:27:21 PM - System Checkpoint
RP27: 9/30/2009 3:27:21 PM - System Checkpoint
RP28: 9/30/2009 3:27:22 PM - System Checkpoint
RP29: 9/30/2009 3:27:22 PM - System Checkpoint
RP30: 9/30/2009 3:27:22 PM - System Checkpoint
RP31: 9/30/2009 3:27:22 PM - Software Distribution Service 3.0
RP32: 9/30/2009 3:27:23 PM - System Checkpoint
RP33: 9/30/2009 3:27:23 PM - System Checkpoint
RP34: 9/30/2009 3:27:24 PM - System Checkpoint
RP35: 9/30/2009 3:27:25 PM - System Checkpoint
RP36: 9/30/2009 3:27:26 PM - System Checkpoint
RP37: 9/30/2009 3:27:28 PM - System Checkpoint
RP38: 9/30/2009 3:27:32 PM - Installed Java™ 6 Update 15
RP39: 9/30/2009 3:27:34 PM - System Checkpoint
RP40: 9/30/2009 3:27:35 PM - System Checkpoint
RP41: 9/30/2009 3:27:41 PM - System Checkpoint
RP42: 9/30/2009 3:27:43 PM - Software Distribution Service 3.0
RP43: 9/30/2009 3:27:44 PM - Software Distribution Service 3.0
RP44: 9/30/2009 3:27:46 PM - System Checkpoint
RP45: 9/30/2009 3:27:49 PM - System Checkpoint
RP46: 9/30/2009 3:27:51 PM - System Checkpoint
RP47: 9/30/2009 3:27:53 PM - System Checkpoint
RP48: 9/30/2009 3:27:54 PM - System Checkpoint
RP49: 9/30/2009 3:27:54 PM - System Checkpoint
RP50: 9/30/2009 3:27:57 PM - System Checkpoint
RP51: 9/30/2009 3:27:58 PM - System Checkpoint
RP52: 9/30/2009 3:28:00 PM - System Checkpoint
RP53: 9/30/2009 3:28:01 PM - Software Distribution Service 3.0
RP54: 9/30/2009 3:28:02 PM - System Checkpoint
RP55: 9/30/2009 3:28:04 PM - System Checkpoint
RP56: 9/30/2009 3:28:05 PM - System Checkpoint
RP57: 9/30/2009 3:28:06 PM - System Checkpoint
RP58: 9/30/2009 3:28:07 PM - System Checkpoint
RP59: 9/30/2009 3:28:07 PM - System Checkpoint
RP60: 9/30/2009 3:28:08 PM - System Checkpoint
RP61: 9/30/2009 3:28:09 PM - System Checkpoint
RP62: 9/30/2009 3:28:11 PM - System Checkpoint
RP63: 9/30/2009 3:28:12 PM - Software Distribution Service 3.0
RP64: 9/30/2009 3:28:13 PM - System Checkpoint
RP65: 9/30/2009 3:28:14 PM - System Checkpoint
RP66: 9/30/2009 3:28:15 PM - System Checkpoint
RP67: 9/30/2009 3:28:16 PM - System Checkpoint
RP68: 9/30/2009 3:28:16 PM - System Checkpoint
RP69: 9/30/2009 3:28:17 PM - System Checkpoint
RP70: 9/30/2009 3:28:18 PM - System Checkpoint
RP71: 9/30/2009 3:28:18 PM - System Checkpoint
RP72: 9/30/2009 3:28:19 PM - System Checkpoint
RP73: 9/30/2009 3:28:20 PM - System Checkpoint
RP74: 9/30/2009 3:28:21 PM - System Checkpoint
RP75: 9/30/2009 3:28:21 PM - Removed Java™ 6 Update 13
RP76: 9/30/2009 3:28:23 PM - Installed Java™ 6 Update 16
RP77: 10/1/2009 7:12:16 PM - System Checkpoint
RP78: 10/2/2009 8:40:01 PM - System Checkpoint
RP79: 10/4/2009 5:38:33 AM - System Checkpoint
RP80: 10/4/2009 10:53:42 AM - Installed VIPRE Antivirus + Antispyware.
RP81: 10/5/2009 11:05:17 AM - System Checkpoint
RP82: 10/6/2009 12:59:02 PM - Removed VIPRE Antivirus + Antispyware.
RP83: 10/6/2009 12:58:43 PM - Software Distribution Service 3.0
RP84: 10/7/2009 1:57:37 PM - System Checkpoint
RP85: 10/8/2009 3:15:18 PM - System Checkpoint
RP86: 10/9/2009 4:17:52 PM - System Checkpoint
RP87: 10/10/2009 4:18:49 PM - System Checkpoint
RP88: 10/11/2009 3:21:39 PM - Installed Windows XP -- Software Updates KB952011.
RP89: 10/11/2009 7:08:19 PM - Printer Driver CutePDF Writer Installed
RP90: 10/12/2009 7:51:30 PM - System Checkpoint
RP91: 10/14/2009 4:00:59 PM - System Checkpoint
RP92: 10/14/2009 5:13:20 PM - Software Distribution Service 3.0
RP93: 10/15/2009 6:30:34 PM - System Checkpoint
RP94: 10/16/2009 8:01:16 PM - System Checkpoint
RP95: 10/18/2009 2:33:19 PM - System Checkpoint
RP96: 10/19/2009 2:45:45 PM - System Checkpoint
RP97: 10/20/2009 3:33:40 PM - System Checkpoint
RP98: 10/21/2009 3:48:25 PM - System Checkpoint
RP99: 10/22/2009 4:15:31 PM - System Checkpoint
RP100: 10/23/2009 6:10:45 PM - System Checkpoint
RP101: 10/25/2009 11:10:36 AM - System Checkpoint
RP102: 10/26/2009 11:41:35 AM - System Checkpoint
RP103: 10/27/2009 12:17:15 PM - System Checkpoint
RP104: 10/28/2009 1:47:51 PM - System Checkpoint
RP105: 10/29/2009 2:13:56 PM - System Checkpoint
RP106: 10/30/2009 3:21:03 PM - System Checkpoint
RP107: 11/1/2009 1:02:49 PM - System Checkpoint
RP108: 11/2/2009 2:49:42 PM - System Checkpoint
RP109: 11/3/2009 3:03:05 PM - System Checkpoint
RP110: 11/4/2009 5:22:06 PM - System Checkpoint
RP111: 11/4/2009 11:20:44 PM - Software Distribution Service 3.0
RP112: 11/6/2009 2:56:58 PM - System Checkpoint
RP113: 11/7/2009 4:59:56 PM - System Checkpoint
RP114: 11/9/2009 9:15:27 AM - System Checkpoint
RP115: 11/9/2009 5:12:18 PM - Installed Java™ 6 Update 17
RP116: 11/10/2009 6:38:38 PM - System Checkpoint
RP117: 11/10/2009 9:49:02 PM - Software Distribution Service 3.0
RP118: 11/12/2009 5:55:37 PM - System Checkpoint
RP119: 11/14/2009 11:22:21 AM - System Checkpoint
RP120: 11/15/2009 12:15:34 PM - System Checkpoint
RP121: 11/16/2009 6:09:51 PM - System Checkpoint
RP122: 11/18/2009 5:45:49 PM - System Checkpoint
RP123: 11/19/2009 6:10:25 PM - System Checkpoint
RP124: 11/21/2009 10:03:35 AM - System Checkpoint
RP125: 11/23/2009 5:30:30 PM - System Checkpoint
RP126: 11/24/2009 7:34:37 PM - System Checkpoint
RP127: 11/25/2009 4:51:51 PM - Software Distribution Service 3.0
RP128: 11/26/2009 8:02:53 PM - System Checkpoint
RP129: 11/28/2009 1:04:54 PM - System Checkpoint
RP130: 11/29/2009 1:09:55 PM - System Checkpoint
RP131: 12/1/2009 7:59:06 PM - System Checkpoint
RP132: 12/2/2009 8:26:06 PM - System Checkpoint
RP133: 12/3/2009 8:43:17 PM - System Checkpoint
RP134: 12/5/2009 3:13:18 PM - System Checkpoint
RP135: 12/6/2009 4:17:43 PM - System Checkpoint
RP136: 12/7/2009 5:21:42 PM - System Checkpoint
RP137: 12/9/2009 5:45:07 PM - System Checkpoint
RP138: 12/10/2009 6:28:10 PM - System Checkpoint
RP139: 12/10/2009 8:30:31 PM - Software Distribution Service 3.0
RP140: 12/12/2009 6:00:59 PM - System Checkpoint
RP141: 12/13/2009 6:19:30 PM - System Checkpoint
RP142: 12/15/2009 5:47:48 PM - Removed Adobe Reader 8.1.2
RP143: 12/15/2009 5:49:41 PM - Removed Java™ 6 Update 16
RP144: 12/15/2009 6:13:32 PM - Software Distribution Service 3.0
RP145: 12/15/2009 9:02:56 PM - Installed Java™ 6 Update 17
RP146: 12/17/2009 7:07:01 AM - System Checkpoint
RP147: 12/17/2009 8:10:26 PM - Installed Adobe Reader 9.2.
RP148: 12/20/2009 12:03:49 PM - System Checkpoint
RP149: 12/21/2009 7:35:43 PM - System Checkpoint
RP150: 12/22/2009 8:22:38 PM - System Checkpoint

==== Installed Programs ======================

2WIRE Wireless LAN - USB Driver
2Wire Wireless Manager
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
AIM 6
AOLIcon
Apple Mobile Device Support
Apple Software Update
ArcSoft Camera Suite
ArcSoft PhotoStudio 5.5
AT&T U-verse Setup
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon CanoScan Toolbox 4.5
Canon i900D
Canon Photo Viewer
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Citrix Web Client
CutePDF Writer 2.8
Dell Driver Reset Tool
Dell System Restore
Dragon NaturallySpeaking Components
Dual Mode Digital Camera 5.0M
DVD Shrink 3.2
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Image Resizer Powertoy for Windows XP
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-09-06
iPod for Windows 2006-01-10
iTunes
Java™ 6 Update 17
Kaspersky Anti-Virus 2009
Logitech Harmony Remote Software 7
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia Flash Player
Macromedia FreeHand MXa
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Manual CanoScan LiDE 35
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft VC9 runtime libraries
MobileMe Control Panel
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero PhotoShow Express
Nero Suite
NeroMIX
OmniPage SE 2.0
Photo Click
PhotoStitch
Picasa 3
PowerDVD 5.5
Professional Resumes Quick & Easy
QuickTime
RAW Image Task
RealPlayer Basic
Remote Control USB Driver
RemoteCapture Task 1.0.1
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SmartFTP Client
SmartFTP Client 2.0 Setup Files (remove only)
Stomp Backup MyPC
TaxACT 2005
TaxACT 2006
TaxACT 2007
TaxACT 2008
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VIPRE Antivirus + Antispyware
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Voice Studio
WD Diagnostics
WebFldrs XP
WebICE
Winamp
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

12/29/2009 4:47:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
12/27/2009 4:17:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
12/27/2009 4:17:49 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/22/2009 8:00:14 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
12/22/2009 7:59:21 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
12/22/2009 7:51:46 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
12/22/2009 7:51:46 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL. Reference error message: The operation completed successfully. .
12/22/2009 7:51:46 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
12/22/2009 7:51:43 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
12/22/2009 7:50:58 PM, error: Service Control Manager [7000] - The IC Recorder Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

==== End Of File ===========================



.......I downloaded GMER and it would not run without locking up my computer (I tried it in safe mode as well). Is there an alternate scan that i could run to post results? I just got back from holiday, so i should be replying to any responses much more quickly than this one. Thanks again!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 30 December 2009 - 03:26 AM

Hello wu88,

Can you please post me the log you will find at c:\combofix.txt

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 wu88

wu88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 30 December 2009 - 07:25 AM

Sure, here it is....

ComboFix 09-12-19.03 - Nick 12/20/2009 11:32:44.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.694 [GMT -6:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\otahuvad.vbs
c:\documents and settings\Cris\My Documents\ZbThumbnail.info
c:\documents and settings\Nick\Cookies\etakyxipof.ban
c:\documents and settings\Nick\Cookies\jubixucu.bat
c:\documents and settings\Nick\Cookies\oxyteh.pif
c:\documents and settings\Nick\Local Settings\Temporary Internet Files\came.dl
c:\documents and settings\Nick\Local Settings\Temporary Internet Files\metukuk.inf
c:\documents and settings\Nick\Local Settings\Temporary Internet Files\xyreheryn.db
C:\imat.exe
C:\mtlff.exe
c:\program files\Common Files\luhodux.vbs
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\arugyty.dll
c:\windows\ewajakem.exe
c:\windows\okojosofu.dll
c:\windows\ovuwyb.scr
c:\windows\qylagecu.vbs
c:\windows\uzazevo._sy
G:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-18 02:12 . 2009-12-18 02:12 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-12-18 02:05 . 2009-12-18 02:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-16 00:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-15 23:49 . 2009-12-15 23:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 18:12 . 2009-02-20 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-20 17:45 . 2009-02-20 03:18 5798944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-20 17:45 . 2009-02-20 03:18 5224 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-20 17:45 . 2009-02-20 03:18 46384 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-20 17:45 . 2009-02-20 03:18 1212448 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-19 20:36 . 2009-08-31 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-19 20:35 . 2007-02-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-18 02:11 . 2005-06-28 21:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-18 02:04 . 2009-12-18 02:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-16 03:03 . 2009-06-27 15:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 03:03 . 2005-06-21 22:46 -------- d-----w- c:\program files\Java
2009-12-16 03:01 . 2009-11-09 23:10 152576 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-16 03:01 . 2009-12-16 03:01 79488 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-15 23:27 . 2009-09-30 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 23:27 . 2009-12-15 23:27 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-08 00:45 . 2009-09-21 23:45 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-03 22:51 . 2006-01-27 03:14 -------- d-----w- c:\documents and settings\Nick\Application Data\Canon
2009-12-03 22:14 . 2009-09-30 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-09-30 20:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2009-12-18 02:05 38784 ----a-w- c:\documents and settings\Nick\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-20 11:08 . 2009-12-18 02:05 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 22:47 . 2009-11-14 22:47 -------- d-----w- c:\program files\mhhs_portal
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 11:45 . 2009-10-29 11:45 999424 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICE_ME12300.dll
2009-10-29 11:45 . 2009-10-29 11:45 89160 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICERTDServer.dll
2009-10-29 11:45 . 2009-10-29 11:45 291104 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\corojdk11.dll
2009-10-29 11:45 . 2009-10-29 11:45 221184 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\j2cnfg.exe
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 23:45 . 2009-06-22 23:48 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-15 22:17 . 2009-02-20 03:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-15 22:17 . 2009-02-20 03:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-30 20:32 . 2009-09-30 20:32 17419 ----a-w- c:\windows\olyx.com
2009-09-30 20:32 . 2009-09-30 20:32 14058 ----a-w- c:\documents and settings\All Users\Application Data\ibisakira.bin
2009-09-30 20:32 . 2009-09-30 20:32 13961 ----a-w- c:\program files\Common Files\ipol.sys
2009-09-30 20:32 . 2009-09-30 20:32 12997 ----a-w- c:\documents and settings\All Users\Application Data\yfyzul.scr
2009-09-30 20:32 . 2009-09-30 20:32 12997 ----a-w- c:\documents and settings\All Users\Application Data\yfyzul.scr
2009-09-30 20:32 . 2009-09-30 20:32 11814 ----a-w- c:\documents and settings\All Users\Application Data\gowisukoga.bin
2009-09-30 20:32 . 2009-09-30 20:32 10663 ----a-w- c:\windows\system32\gyvamyx.exe
2009-09-30 20:32 . 2009-09-30 20:32 11579 ----a-w- c:\documents and settings\All Users\Application Data\sogab.sys
2009-09-30 20:32 . 2009-09-30 20:32 11579 ----a-w- c:\documents and settings\All Users\Application Data\sogab.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-21 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2003-06-25 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-23 208616]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-09-07 959784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-27 17:17 1381376 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/16/2009 6:46 PM 64160]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [10/6/2009 11:57 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/5/2009 2:58 PM 93872]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1028432]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [9/7/2009 1:02 PM 1012040]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [10/4/2009 10:03 AM 69936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2007 8:14 AM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [10/11/2005 9:08 AM 17432]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;c:\windows\system32\drivers\bjhid2.sys [6/28/2005 1:51 PM 6528]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [8/11/2006 7:30 AM 49399]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 4:44 AM 477696]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: ebay.com\www
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://insite.mhhs.org/MHHS_Portal_Login_09.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 12:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\07\06\19\13\10,"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1356)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-12-20 12:20:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 18:20
ComboFix2.txt 2009-06-27 12:33

Pre-Run: 4,225,335,296 bytes free
Post-Run: 5,104,185,344 bytes free

- - End Of File - - A78DBB4A24FA5704F868CAAF1986CDE9



thanks,


Nick

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 30 December 2009 - 09:20 AM

Hello wu88,

You had quite some nasty stuff there, please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Before continuing, make sure you delete any old copy of Combofix you still might have!!

Download a new copy from the following link:
Bleepingcomputer

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\olyx.com
c:\documents and settings\All Users\Application Data\ibisakira.bin
c:\program files\Common Files\ipol.sys
c:\documents and settings\All Users\Application Data\yfyzul.scr
c:\documents and settings\All Users\Application Data\gowisukoga.bin
c:\windows\system32\gyvamyx.exe
c:\documents and settings\All Users\Application Data\sogab.sys
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 wu88

wu88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 30 December 2009 - 10:44 AM

here it is:

ComboFix 09-12-29.05 - Nick 12/30/2009 9:07.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.769 [GMT -6:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\documents and settings\All Users\Application Data\gowisukoga.bin"
"c:\documents and settings\All Users\Application Data\ibisakira.bin"
"c:\documents and settings\All Users\Application Data\sogab.sys"
"c:\documents and settings\All Users\Application Data\yfyzul.scr"
"c:\program files\Common Files\ipol.sys"
"c:\windows\olyx.com"
"c:\windows\system32\gyvamyx.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\gowisukoga.bin
c:\documents and settings\All Users\Application Data\ibisakira.bin
c:\documents and settings\All Users\Application Data\sogab.sys
c:\documents and settings\All Users\Application Data\yfyzul.scr
c:\program files\Common Files\ipol.sys
c:\windows\olyx.com
c:\windows\system32\gyvamyx.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-18 02:12 . 2009-12-18 02:12 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-12-18 02:05 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Nick\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 02:05 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 02:05 . 2009-12-18 02:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-18 02:04 . 2009-12-18 02:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-16 03:01 . 2009-12-16 03:01 79488 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 00:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-15 23:49 . 2009-12-15 23:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-15 23:27 . 2009-12-15 23:27 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 12:08 . 2009-02-20 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-30 04:14 . 2009-02-20 03:18 5798944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-30 04:14 . 2009-02-20 03:18 5224 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-30 04:14 . 2009-02-20 03:18 46384 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-30 04:14 . 2009-02-20 03:18 1212448 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-27 22:24 . 2009-02-17 00:44 -------- d-----w- c:\program files\Lavasoft
2009-12-19 20:36 . 2009-08-31 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-19 20:35 . 2007-02-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-18 02:11 . 2005-06-28 21:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-16 03:03 . 2009-06-27 15:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 03:03 . 2005-06-21 22:46 -------- d-----w- c:\program files\Java
2009-12-16 03:01 . 2009-11-09 23:10 152576 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-15 23:27 . 2009-09-30 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:51 . 2006-01-27 03:14 -------- d-----w- c:\documents and settings\Nick\Application Data\Canon
2009-12-03 22:14 . 2009-09-30 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-09-30 20:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 22:47 . 2009-11-14 22:47 -------- d-----w- c:\program files\mhhs_portal
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 11:45 . 2009-10-29 11:45 999424 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICE_ME12300.dll
2009-10-29 11:45 . 2009-10-29 11:45 89160 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICERTDServer.dll
2009-10-29 11:45 . 2009-10-29 11:45 291104 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\corojdk11.dll
2009-10-29 11:45 . 2009-10-29 11:45 221184 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\j2cnfg.exe
2009-10-29 07:45 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 22:17 . 2009-02-20 03:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-15 22:17 . 2009-02-20 03:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-21 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2003-06-25 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-23 208616]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-09-07 959784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-27 17:17 1381376 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [10/6/2009 11:57 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/5/2009 2:58 PM 93872]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [9/7/2009 1:02 PM 1012040]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [10/4/2009 10:03 AM 69936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2007 8:14 AM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [10/11/2005 9:08 AM 17432]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;c:\windows\system32\drivers\bjhid2.sys [6/28/2005 1:51 PM 6528]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [8/11/2006 7:30 AM 49399]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 4:44 AM 477696]
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\User_Feed_Synchronization-{CECE5B46-3908-47D7-BCCA-09B95A830035}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: ebay.com\www
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://insite.mhhs.org/MHHS_Portal_Login_09.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 09:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\07\06\19\13\10,"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1352)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-30 09:16:59
ComboFix-quarantined-files.txt 2009-12-30 15:16

Pre-Run: 5,304,098,816 bytes free
Post-Run: 5,267,804,160 bytes free

- - End Of File - - 65EE7136B477BEEA43A8EA4DF6F5BE85


I very much appreciate the help. So are you saying that the computer was not secure until these last deletions?

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 30 December 2009 - 11:08 AM

Hello,

So are you saying that the computer was not secure until these last deletions?

No, thats not the problem, however, these were vundo files and never good on your system :(
But you had also a nasty rootkit that leaves a vulnerability on your system that might or might not be exploited in the future.

Please click start > run, type notepad in the runbox and press enter.
Copy/paste the text in the codebox below in Notepad and save it as export.bat to your desktop.
@echo off
regedit /e "export.txt" "HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD"
start export.txt
del %0
Exit Notepad and doubleclick on export.bat to run it. A textfile (export.txt) will open. Please post its contents in your next reply.

Edited by elise025, 30 December 2009 - 11:08 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 wu88

wu88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 30 December 2009 - 11:10 AM

This is all it had:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD]

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 30 December 2009 - 01:46 PM

Hello wu88,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD]
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • Combofix.txt
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 wu88

wu88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 30 December 2009 - 05:15 PM

OK, here is latest combofix :


ComboFix 09-12-29.05 - Nick 12/30/2009 13:37:30.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.743 [GMT -6:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-18 02:12 . 2009-12-18 02:12 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-12-18 02:05 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Nick\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 02:05 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 02:05 . 2009-12-18 02:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-18 02:04 . 2009-12-18 02:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-16 03:01 . 2009-12-16 03:01 79488 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 00:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-15 23:49 . 2009-12-15 23:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-15 23:27 . 2009-12-15 23:27 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 19:36 . 2009-02-20 03:18 1220640 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-30 19:35 . 2009-02-20 03:18 5252 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-30 15:20 . 2009-02-20 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-30 15:18 . 2009-02-20 03:18 5798944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-30 15:18 . 2009-02-20 03:18 46384 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-27 22:24 . 2009-02-17 00:44 -------- d-----w- c:\program files\Lavasoft
2009-12-19 20:36 . 2009-08-31 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-19 20:35 . 2007-02-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-18 02:11 . 2005-06-28 21:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-16 03:03 . 2009-06-27 15:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 03:03 . 2005-06-21 22:46 -------- d-----w- c:\program files\Java
2009-12-16 03:01 . 2009-11-09 23:10 152576 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-15 23:27 . 2009-09-30 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:51 . 2006-01-27 03:14 -------- d-----w- c:\documents and settings\Nick\Application Data\Canon
2009-12-03 22:14 . 2009-09-30 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-09-30 20:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 22:47 . 2009-11-14 22:47 -------- d-----w- c:\program files\mhhs_portal
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 11:45 . 2009-10-29 11:45 999424 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICE_ME12300.dll
2009-10-29 11:45 . 2009-10-29 11:45 89160 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICERTDServer.dll
2009-10-29 11:45 . 2009-10-29 11:45 291104 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\corojdk11.dll
2009-10-29 11:45 . 2009-10-29 11:45 221184 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\j2cnfg.exe
2009-10-29 07:45 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 22:17 . 2009-02-20 03:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-15 22:17 . 2009-02-20 03:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-30_15.14.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-30 15:19 . 2009-12-30 15:19 16384 c:\windows\temp\Perflib_Perfdata_7b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-21 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2003-06-25 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-23 208616]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-09-07 959784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-27 17:17 1381376 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [10/6/2009 11:57 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/5/2009 2:58 PM 93872]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [9/7/2009 1:02 PM 1012040]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [10/4/2009 10:03 AM 69936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2007 8:14 AM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [10/11/2005 9:08 AM 17432]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;c:\windows\system32\drivers\bjhid2.sys [6/28/2005 1:51 PM 6528]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [8/11/2006 7:30 AM 49399]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 4:44 AM 477696]
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\User_Feed_Synchronization-{CECE5B46-3908-47D7-BCCA-09B95A830035}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: ebay.com\www
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://insite.mhhs.org/MHHS_Portal_Login_09.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 13:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\07\06\19\13\10,"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-12-30 13:47:11
ComboFix-quarantined-files.txt 2009-12-30 19:47
ComboFix2.txt 2009-12-30 15:17

Pre-Run: 5,231,677,440 bytes free
Post-Run: 5,197,615,104 bytes free

- - End Of File - - 07CF470A89A9498DBBF6DEF433065071


and MBAM:

Malwarebytes' Anti-Malware 1.42
Database version: 3456
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/30/2009 4:13:00 PM
mbam-log-2009-12-30 (16-13-00).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 278431
Time elapsed: 53 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 31 December 2009 - 02:36 AM

Hello wu88,

Well, that didn't work, so lets try it a bit different this time. Please let me know how things are running now.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • Combofix.txt
  • ESET online scan results

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 wu88

wu88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 02 January 2010 - 09:28 AM

Happy New Year Elise! Apologies for the delayed response, was out of town for a couple of days.

Here's the new combofix log (what is the latest script attempting to do?):


ComboFix 09-12-29.05 - Nick 01/02/2010 5:47.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.791 [GMT -6:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2009-12-18 02:12 . 2009-12-18 02:12 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-12-18 02:05 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Nick\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 02:05 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 02:05 . 2009-12-18 02:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-18 02:04 . 2009-12-18 02:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-16 03:01 . 2009-12-16 03:01 79488 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 00:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-15 23:49 . 2009-12-15 23:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-15 23:27 . 2009-12-15 23:27 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 11:47 . 2009-02-20 03:18 5336 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-02 11:47 . 2009-02-20 03:18 1245216 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-02 11:33 . 2009-02-20 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-01 06:34 . 2009-02-20 03:18 5798944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-01 06:34 . 2009-02-20 03:18 46384 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-27 22:24 . 2009-02-17 00:44 -------- d-----w- c:\program files\Lavasoft
2009-12-19 20:36 . 2009-08-31 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-19 20:35 . 2007-02-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-18 02:11 . 2005-06-28 21:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-16 03:03 . 2009-06-27 15:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 03:03 . 2005-06-21 22:46 -------- d-----w- c:\program files\Java
2009-12-16 03:01 . 2009-11-09 23:10 152576 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-15 23:27 . 2009-09-30 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:51 . 2006-01-27 03:14 -------- d-----w- c:\documents and settings\Nick\Application Data\Canon
2009-12-03 22:14 . 2009-09-30 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-09-30 20:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 22:47 . 2009-11-14 22:47 -------- d-----w- c:\program files\mhhs_portal
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 11:45 . 2009-10-29 11:45 999424 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICE_ME12300.dll
2009-10-29 11:45 . 2009-10-29 11:45 89160 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\ICERTDServer.dll
2009-10-29 11:45 . 2009-10-29 11:45 291104 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\corojdk11.dll
2009-10-29 11:45 . 2009-10-29 11:45 221184 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\cache\6.0\54\2df61636-153833e7-n\j2cnfg.exe
2009-10-29 07:45 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 22:17 . 2009-02-20 03:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-15 22:17 . 2009-02-20 03:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-30_15.14.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-02 11:32 . 2010-01-02 11:32 16384 c:\windows\temp\Perflib_Perfdata_464.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-21 26112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2003-06-25 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-23 208616]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-09-07 959784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-27 17:17 1381376 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [10/6/2009 11:57 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/5/2009 2:58 PM 93872]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [9/7/2009 1:02 PM 1012040]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [10/4/2009 10:03 AM 69936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2007 8:14 AM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [10/11/2005 9:08 AM 17432]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Nick\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;c:\windows\system32\drivers\bjhid2.sys [6/28/2005 1:51 PM 6528]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [8/11/2006 7:30 AM 49399]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 4:44 AM 477696]
.
Contents of the 'Scheduled Tasks' folder

2010-01-02 c:\windows\Tasks\User_Feed_Synchronization-{CECE5B46-3908-47D7-BCCA-09B95A830035}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: ebay.com\www
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://insite.mhhs.org/MHHS_Portal_Login_09.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 05:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\07\06\19\13\10,"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2132)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-01-02 05:57:40
ComboFix-quarantined-files.txt 2010-01-02 11:57
ComboFix2.txt 2009-12-30 19:47
ComboFix3.txt 2009-12-30 15:17

Pre-Run: 5,424,640,000 bytes free
Post-Run: 5,421,379,584 bytes free

- - End Of File - - F6F87E8E5EA2BE3F858757FEBD44A1E5



And the ESET log (found a couple of things that I had not previously seen on any other scans):

C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP152\A0029582.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 02 January 2010 - 10:34 AM

Hello,

What I was trying to do with the last two CF scripts is removing a stubborn registry entry. Since we had no luck again, lets try it manually.

Please download swreg.exe and place it in the c:\windows folder. Continue ONLY when you were able to succesfully place swreg.exe in the Windows folder, otherwise let me know and I will give you more detailed instructions.


BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Now, please click start > run, type notepad in the runbox and press enter.
Copy/paste the text in the codebox below in Notepad and save it as fixme.bat to your desktop.
@echo off
swreg acl "HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD" /GE:F > export.txt
start export.txt
del %0
Exit Notepad and doubleclick on fixme.bat to run it. A textfile, export.txt will open. Please post its contents in your next reply.

Edited by elise025, 02 January 2010 - 10:36 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users