Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results getting redirected


  • This topic is locked This topic is locked
11 replies to this topic

#1 younglink7

younglink7

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 07 January 2010 - 04:31 PM

Hello, I'm new to these forums and tried to read the instructions before posting, but if I forgot anything, let me know and I'll try to reply as soon as possible. The problem started somewhere around early/middle of December. All my google searches are getting redirected to other pages. At first it only redirected to harmless other search engines, but now it is redirecting to much more malicious sites. AVG originally found and removed c.exe and some other trojans and thought I was fine, but it never solved the problem. Now as I type this my computer is telling me that there is a generic host process for Win32 Services that has encountered a problem and needs to close - and my computer has to restart after a minute. Thanks for your help.

DDS (Ver_09-12-01.01) - NTFSx86
Run by J Slye at 11:30:23.34 on Thu 01/07/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.913 [GMT -5:00]

AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\SafeConnect\scManager.sys
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\SafeConnect\scClient.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\J Slye\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\J Slye\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\smart notebook\NotebookPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [Aim6]
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\j slye\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [J Slye] c:\documents and settings\j slye\J Slye.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\jslye~1\startm~1\programs\startup\policy~1.lnk - c:\program files\impulse\PolicyKey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: WBSYS.DLL c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jslye~1\applic~1\mozilla\firefox\profiles\l5r3rtoa.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/#inbox
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\j slye\application data\mozilla\firefox\profiles\l5r3rtoa.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\j slye\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\j slye\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\essentials\apps\real alternative\browser\plugins\nppl3260.dll
FF - plugin: c:\essentials\apps\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("pfs.datasource.url", "chrome://cck/content/cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("app.update.url", "chrome://cck/content/cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("browser.throbber.url", "chrome://cck/content/cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage", "resource:/browserconfig-cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage_reset", "resource:/browserconfig-cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("general.useragent.vendorComment", "CK-A9");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-7 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-7 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-7 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-7 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-11-7 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SCManager;SafeConnect Manager;c:\program files\safeconnect\scmanager.sys servicestart --> c:\program files\safeconnect\scManager.sys servicestart [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-27 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-14 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-6 30192]
SUnknown SPService;SPService; [x]

=============== Created Last 30 ================

2009-12-21 18:56:04 0 d-----w- c:\program files\GIMP-2.0
2009-12-14 03:06:09 3249 ----a-w- c:\windows\system32\wbem\Outlook_01ca7c6a62550ccc.mof
2009-12-12 18:09:19 0 d-----w- c:\docume~1\jslye~1\applic~1\Malwarebytes
2009-12-12 18:09:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 18:09:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 18:09:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 18:09:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-10 11:28:52 216 ----a-w- c:\documents and settings\j slye\qpbdjL.bat
2009-12-10 02:49:54 124 --sh--r- c:\documents and settings\j slye\autorun.inf

==================== Find3M ====================

2010-01-06 00:07:17 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-06 00:07:17 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-07 05:19:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-30 00:29:08 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-08-22 18:07:03 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 11:32:26.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:46 PM

Posted 14 January 2010 - 11:53 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 younglink7

younglink7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 15 January 2010 - 10:52 AM

Hello, and thank you for your time! Sorry it took me a little bit to respond. Here's my problem:

Whenever I search google I can get to the results page no problem. However, 80% of the time when I click on one of the results, it redirects me to either another unheard-of search engine or a more malicious trojan/fake antivirus website. Also, my AVG is now reporting trojans, c.exe, and b.exe repeatedly about every day/every other day. I always tell it to remove them, but it never solves the problem and gets to the heart of the matter. At the time of posting before, my computer had been restarting when a Win32 process would crash. However, a friend of mine told my computer to not restart when the process crashed, so now whenever that happens it just tells me it has encountered a problem and does not restart the computer. I use Google Chrome for web browsing, and it constantly is getting its search results redirected. However, Firefox and IE are also affected. If there's anything else I can do to help, please let me know. Thanks.


DDS (Ver_09-12-01.01) - NTFSx86
Run by J Slye at 10:39:17.75 on Fri 01/15/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\smart notebook\NotebookPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [Aim6]
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\j slye\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [J Slye] c:\documents and settings\j slye\J Slye.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [YNO00BFRKM] c:\windows\temp\c.exe
StartupFolder: c:\docume~1\jslye~1\startm~1\programs\startup\policy~1.lnk - c:\program files\impulse\PolicyKey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: WBSYS.DLL c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jslye~1\applic~1\mozilla\firefox\profiles\l5r3rtoa.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/#inbox
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\j slye\application data\mozilla\firefox\profiles\l5r3rtoa.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\j slye\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\j slye\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\essentials\apps\real alternative\browser\plugins\nppl3260.dll
FF - plugin: c:\essentials\apps\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("pfs.datasource.url", "chrome://cck/content/cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("app.update.url", "chrome://cck/content/cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("browser.throbber.url", "chrome://cck/content/cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage", "resource:/browserconfig-cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage_reset", "resource:/browserconfig-cck.properties");
c:\program files\mozilla firefox\defaults\pref\firefox-cck.js - pref("general.useragent.vendorComment", "CK-A9");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-15 05:37:07 0 d-----w- c:\program files\PS3 Media Server
2009-12-21 18:56:04 0 d-----w- c:\program files\GIMP-2.0

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 00:07:17 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-06 00:07:17 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-10 11:28:53 216 ----a-w- c:\documents and settings\j slye\qpbdjL.bat
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-11-07 05:19:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-30 00:29:08 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2008-08-22 18:07:03 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 10:41:48.54 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:46 PM

Posted 16 January 2010 - 09:59 AM

Hi younglink7,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

1.Go to this thread and Download TDSSKiller.zip to your Desktop.
2.Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
3.Start > Run and copy/paste the following bolded command into run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

4.If TDSSKiller alerts you that the system needs to reboot, please consent.
5.When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

Step3

Please download GMER Rootkit Scanner from Here or Here.
  1. Extract the contents of the zipped file to desktop.
  2. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  5. Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  6. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log
3.Gmer log Thanks.


#5 younglink7

younglink7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 16 January 2010 - 08:40 PM

Alright - thanks so much for your help! I did everything you said, but I ran into a few glitches along the way. First, with the TDSS, it found some things that required a restart. However, after restarting, it came up with the messages that you can see for yourself in the attached .jpg file. I then ran ComboFix and Gmer, but now whenever I try to start Chrome I get a blue screen which immediately forces a restart. The three logs are copied and pasted for you below.

12:24:32:320 5216 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
12:24:32:320 5216 ================================================================================
12:24:32:320 5216 SystemInfo:

12:24:32:320 5216 OS Version: 5.1.2600 ServicePack: 3.0
12:24:32:320 5216 Product type: Workstation
12:24:32:320 5216 ComputerName: JSLYECOMP
12:24:32:320 5216 UserName: J Slye
12:24:32:320 5216 Windows directory: C:\WINDOWS
12:24:32:320 5216 Processor architecture: Intel x86
12:24:32:320 5216 Number of processors: 1
12:24:32:320 5216 Page size: 0x1000
12:24:32:336 5216 Boot type: Normal boot
12:24:32:336 5216 ================================================================================
12:24:32:367 5216 UnloadDriverW: NtUnloadDriver error 2
12:24:32:367 5216 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:24:32:399 5216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:24:32:570 5216 UtilityInit: KLMD drop and load success
12:24:32:570 5216 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
12:24:32:570 5216 UtilityInit: KLMD open success
12:24:32:570 5216 UtilityInit: Initialize success
12:24:32:570 5216
12:24:32:570 5216 Scanning Services ...
12:24:32:570 5216 CreateRegParser: Registry parser init started
12:24:32:570 5216 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
12:24:32:570 5216 CreateRegParser: DisableWow64Redirection error
12:24:32:570 5216 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:24:32:570 5216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
12:24:32:570 5216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:24:32:570 5216 wfopen_ex: Trying to KLMD file open
12:24:32:570 5216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
12:24:32:570 5216 wfopen_ex: File opened ok (Flags 2)
12:24:32:570 5216 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 284B80
12:24:32:570 5216 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:24:32:570 5216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
12:24:32:570 5216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:24:32:570 5216 wfopen_ex: Trying to KLMD file open
12:24:32:570 5216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
12:24:32:570 5216 wfopen_ex: File opened ok (Flags 2)
12:24:32:570 5216 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 284A70
12:24:32:570 5216 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
12:24:32:570 5216 CreateRegParser: EnableWow64Redirection error
12:24:32:570 5216 CreateRegParser: RegParser init completed
12:24:33:383 5216 GetAdvancedServicesInfo: Raw services enum returned 376 services
12:24:33:383 5216 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:24:33:383 5216 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:24:33:383 5216
12:24:33:383 5216 Scanning Kernel memory ...
12:24:33:383 5216 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:24:33:383 5216 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A5F21F8
12:24:33:383 5216 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
12:24:33:383 5216
12:24:33:383 5216 DetectCureTDL3: DEVICE_OBJECT: 8A5D0C68
12:24:33:383 5216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5D0C68
12:24:33:383 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5D0C68[0x38]
12:24:33:383 5216 DetectCureTDL3: DRIVER_OBJECT: 8A5F21F8
12:24:33:383 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5F21F8[0xA8]
12:24:33:383 5216 KLMD_ReadMem: Trying to ReadMemory 0xE100FC98[0x18]
12:24:33:383 5216 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:24:33:383 5216 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
12:24:33:383 5216 DetectCureTDL3: IrpHandler (1) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
12:24:33:383 5216 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
12:24:33:383 5216 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
12:24:33:383 5216 DetectCureTDL3: IrpHandler (5) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (6) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (7) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (8) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
12:24:33:383 5216 DetectCureTDL3: IrpHandler (10) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (11) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (12) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (13) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
12:24:33:383 5216 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
12:24:33:383 5216 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
12:24:33:383 5216 DetectCureTDL3: IrpHandler (17) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (18) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (19) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (20) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (21) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
12:24:33:383 5216 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
12:24:33:383 5216 DetectCureTDL3: IrpHandler (24) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (25) addr: 804F355A
12:24:33:383 5216 DetectCureTDL3: IrpHandler (26) addr: 804F355A
12:24:33:383 5216 TDL3_FileDetect: Processing driver: Disk
12:24:33:383 5216 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:24:33:383 5216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:24:33:445 5216 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:24:33:445 5216
12:24:33:445 5216 DetectCureTDL3: DEVICE_OBJECT: 8A577C68
12:24:33:445 5216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A577C68
12:24:33:445 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A577C68[0x38]
12:24:33:445 5216 DetectCureTDL3: DRIVER_OBJECT: 8A5F21F8
12:24:33:445 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5F21F8[0xA8]
12:24:33:445 5216 KLMD_ReadMem: Trying to ReadMemory 0xE100FC98[0x18]
12:24:33:445 5216 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:24:33:445 5216 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
12:24:33:445 5216 DetectCureTDL3: IrpHandler (1) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
12:24:33:445 5216 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
12:24:33:445 5216 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
12:24:33:445 5216 DetectCureTDL3: IrpHandler (5) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (6) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (7) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (8) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
12:24:33:445 5216 DetectCureTDL3: IrpHandler (10) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (11) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (12) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (13) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
12:24:33:445 5216 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
12:24:33:445 5216 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
12:24:33:445 5216 DetectCureTDL3: IrpHandler (17) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (18) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (19) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (20) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (21) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
12:24:33:445 5216 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
12:24:33:445 5216 DetectCureTDL3: IrpHandler (24) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (25) addr: 804F355A
12:24:33:445 5216 DetectCureTDL3: IrpHandler (26) addr: 804F355A
12:24:33:445 5216 TDL3_FileDetect: Processing driver: Disk
12:24:33:445 5216 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:24:33:445 5216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:24:33:477 5216 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:24:33:477 5216
12:24:33:477 5216 DetectCureTDL3: DEVICE_OBJECT: 8A5E7C68
12:24:33:477 5216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5E7C68
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5E7C68[0x38]
12:24:33:477 5216 DetectCureTDL3: DRIVER_OBJECT: 8A5F21F8
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5F21F8[0xA8]
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0xE100FC98[0x18]
12:24:33:477 5216 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:24:33:477 5216 DetectCureTDL3: IrpHandler (0) addr: F74CDBB0
12:24:33:477 5216 DetectCureTDL3: IrpHandler (1) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (2) addr: F74CDBB0
12:24:33:477 5216 DetectCureTDL3: IrpHandler (3) addr: F74C7D1F
12:24:33:477 5216 DetectCureTDL3: IrpHandler (4) addr: F74C7D1F
12:24:33:477 5216 DetectCureTDL3: IrpHandler (5) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (6) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (7) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (8) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (9) addr: F74C82E2
12:24:33:477 5216 DetectCureTDL3: IrpHandler (10) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (11) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (12) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (13) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (14) addr: F74C83BB
12:24:33:477 5216 DetectCureTDL3: IrpHandler (15) addr: F74CBF28
12:24:33:477 5216 DetectCureTDL3: IrpHandler (16) addr: F74C82E2
12:24:33:477 5216 DetectCureTDL3: IrpHandler (17) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (18) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (19) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (20) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (21) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (22) addr: F74C9C82
12:24:33:477 5216 DetectCureTDL3: IrpHandler (23) addr: F74CE99E
12:24:33:477 5216 DetectCureTDL3: IrpHandler (24) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (25) addr: 804F355A
12:24:33:477 5216 DetectCureTDL3: IrpHandler (26) addr: 804F355A
12:24:33:477 5216 TDL3_FileDetect: Processing driver: Disk
12:24:33:477 5216 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:24:33:477 5216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:24:33:477 5216 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:24:33:477 5216
12:24:33:477 5216 DetectCureTDL3: DEVICE_OBJECT: 8A578AB8
12:24:33:477 5216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A578AB8
12:24:33:477 5216 DetectCureTDL3: DEVICE_OBJECT: 8A5AC9E8
12:24:33:477 5216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5AC9E8
12:24:33:477 5216 DetectCureTDL3: DEVICE_OBJECT: 8A5D2940
12:24:33:477 5216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5D2940
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5D2940[0x38]
12:24:33:477 5216 DetectCureTDL3: DRIVER_OBJECT: 8A5D8868
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5D8868[0xA8]
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5B1030[0x38]
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A5EB030[0xA8]
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0xE17FADC0[0x1A]
12:24:33:477 5216 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
12:24:33:477 5216 DetectCureTDL3: IrpHandler (0) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (1) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (2) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (3) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (4) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (5) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (6) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (7) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (8) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (9) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (10) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (11) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (12) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (13) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (14) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (15) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (16) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (17) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (18) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (19) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (20) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (21) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (22) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (23) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (24) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (25) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: IrpHandler (26) addr: 8A57D618
12:24:33:477 5216 DetectCureTDL3: All IRP handlers pointed to one addr: 8A57D618
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A57D618[0x400]
12:24:33:477 5216 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
12:24:33:477 5216 Driver "atapi" Irp handler infected by TDSS rootkit ... 12:24:33:477 5216 KLMD_WriteMem: Trying to WriteMemory 0x8A57D67D[0xD]
12:24:33:477 5216 cured
12:24:33:477 5216 KLMD_ReadMem: Trying to ReadMemory 0x8A57D4BF[0x400]
12:24:33:477 5216 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
12:24:33:477 5216 Driver "atapi" StartIo handler infected by TDSS rootkit ... 12:24:33:477 5216 TDL3_StartIoHookCure: Number of patches 1
12:24:33:477 5216 KLMD_WriteMem: Trying to WriteMemory 0x8A57D5B6[0x6]
12:24:33:477 5216 cured
12:24:33:492 5216 TDL3_FileDetect: Processing driver: atapi
12:24:33:492 5216 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
12:24:33:492 5216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
12:24:33:492 5216 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
12:24:33:492 5216 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 12:24:33:492 5216 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
12:24:33:492 5216 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:24:33:524 5216 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
12:24:33:649 5216 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
12:24:33:695 5216 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
12:24:33:742 5216 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
12:24:33:789 5216 CabinetCallback: File extracted successfully: C:\DOCUME~1\JSLYE~1\LOCALS~1\Temp\bck60F.tmp
12:24:33:789 5216 ValidateDriverFile: Stage 1 passed
12:24:33:805 5216 ValidateDriverFile: Stage 2 passed
12:24:34:117 5216 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
12:24:37:258 5216 DigitalSignVerifyByHandle: Cat DS result: 00000000
12:24:37:258 5216 ValidateDriverFile: Stage 3 passed
12:24:37:258 5216 CabinetCallback: File validated successfully, restore information prepared
12:24:37:258 5216 FindDriverFileBackup: Backup copy found in cab-file
12:24:37:258 5216 TDL3_FileCure: Backup copy found, using it..
12:24:37:258 5216 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk610.tmp
12:24:37:320 5216 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk610.tmp, system32\drivers\atapi.sys)
12:24:37:320 5216 TDL3_FileCure: KLMD jobs schedule success
12:24:37:320 5216 will be cured on next reboot
12:24:37:320 5216 UtilityBootReinit: Reboot required for cure complete..
12:24:37:320 5216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
12:24:37:320 5216 UtilityBootReinit: KLMD drop success
12:24:37:320 5216 KLMD_ApplyPendList: Pending buffer(5CD5_51F7, 608) dropped successfully
12:24:37:320 5216 UtilityBootReinit: Cure on reboot scheduled successfully
12:24:37:320 5216
12:24:37:320 5216 Completed
12:24:37:320 5216
12:24:37:320 5216 Results:
12:24:37:320 5216 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
12:24:37:320 5216 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:24:37:320 5216 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:24:37:320 5216
12:24:37:320 5216 UnloadDriverW: NtUnloadDriver error 1
12:24:37:320 5216 KLMD_Unload: UnloadDriverW(klmd21) error 1
12:24:37:320 5216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:24:37:320 5216 UtilityDeinit: KLMD(ARK) unloaded successfully

COMBOFIX

ComboFix 10-01-16.01 - J Slye 01/16/2010 14:35:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -5:00]
Running from: c:\documents and settings\J Slye\Desktop\ComboFix.exe
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\J Slye\autorun.inf
c:\documents and settings\J Slye\Start Menu\Programs\Startup\PolicyKey.lnk
c:\windows\kb913800.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-15 05:37 . 2010-01-15 05:37 -------- d-----w- c:\program files\PS3 Media Server
2010-01-14 17:58 . 2010-01-14 17:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2009-12-21 23:32 . 2010-01-06 01:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-21 18:56 . 2009-12-21 18:56 -------- d-----w- c:\program files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 17:26 . 2004-08-04 13:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-16 00:19 . 2009-11-05 23:17 -------- d-----w- c:\documents and settings\J Slye\Application Data\vlc
2010-01-15 05:40 . 2008-01-18 22:49 -------- d-----w- c:\documents and settings\J Slye\Application Data\U3
2010-01-15 05:23 . 2009-11-07 03:12 -------- d-----w- c:\documents and settings\J Slye\Application Data\AIMP
2010-01-11 06:55 . 2009-12-12 18:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 06:55 . 2010-01-05 22:41 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 02:02 . 2009-11-07 03:11 -------- d-----w- c:\program files\AIMP2
2010-01-08 20:34 . 2009-02-02 14:58 -------- d-----w- c:\program files\SafeConnect
2010-01-07 21:07 . 2009-12-12 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-12 18:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 08:04 . 2007-07-28 05:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-06 01:23 . 2008-10-16 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-12-21 16:16 . 2009-12-10 19:08 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-12 18:09 . 2009-12-12 18:09 -------- d-----w- c:\documents and settings\J Slye\Application Data\Malwarebytes
2009-12-12 18:09 . 2009-12-12 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 09:17 . 2006-02-17 08:53 -------- d-----w- c:\program files\Google
2009-12-10 11:28 . 2009-12-10 11:28 216 ----a-w- c:\documents and settings\J Slye\qpbdjL.bat
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\J Slye\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-28 22:49 . 2009-10-29 22:55 -------- d-----w- c:\documents and settings\J Slye\Application Data\HpUpdate
2009-11-21 15:51 . 2004-08-10 15:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-07 05:19 . 2009-11-07 05:19 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-07 05:19 . 2009-11-07 05:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-07 05:19 . 2009-11-07 05:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-07 05:19 . 2009-11-07 05:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-07 05:19 . 2009-11-07 05:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-04 02:53 . 2009-11-04 02:53 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-04 01:33 . 2009-11-04 01:33 152576 ----a-w- c:\documents and settings\J Slye\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 07:46 . 2004-08-10 15:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 15:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 15:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 15:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 15:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-07 02:25 . 2009-08-06 23:54 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Google Update"="c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-07 30192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-10 2043160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-1-12 1175552]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2007-11-13 297240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-07 05:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-10-04 15:58 184320 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-11-11 05:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2005-12-07 18:56 409600 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 20:45 507904 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
2003-07-07 13:29 729088 -c--a-w- c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 15:00 49152 -c--a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 18:23 1187840 -c----w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 21:03 36975 -c--a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2007-01-04 21:38 112336 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rockstar Games\\GTA2\\gta2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Essentials\\Apps\\UrbanTerror\\ioUrbanTerror.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Documents and Settings\\J Slye\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\J Slye\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20887:TCP"= 20887:TCP:spport
"5961:TCP"= 5961:TCP:spport
"17099:TCP"= 17099:TCP:spport
"9774:TCP"= 9774:TCP:spport
"25179:TCP"= 25179:TCP:spport
"26587:TCP"= 26587:TCP:spport
"12866:TCP"= 12866:TCP:spport
"27928:TCP"= 27928:TCP:spport

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/7/2009 12:19 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/7/2009 12:19 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/7/2009 12:19 AM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/7/2009 12:19 AM 297752]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/27/2007 6:00 PM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 3:33 PM 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 3:32 PM 28800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/14/2009 4:42 PM 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/6/2009 6:54 PM 30192]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 21:41]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 21:41]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2977375557-1984455187-312769585-1005Core.job
- c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 17:38]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2977375557-1984455187-312769585-1005UA.job
- c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 17:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\J Slye\Application Data\Mozilla\Firefox\Profiles\l5r3rtoa.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/#inbox
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\J Slye\Application Data\Mozilla\Firefox\Profiles\l5r3rtoa.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\J Slye\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\essentials\Apps\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: c:\essentials\Apps\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("pfs.datasource.url", "chrome://cck/content/cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("app.update.url", "chrome://cck/content/cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("browser.throbber.url", "chrome://cck/content/cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage", "resource:/browserconfig-cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage_reset", "resource:/browserconfig-cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("general.useragent.vendorComment", "CK-A9");
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
MSConfigStartUp-AIM - c:\progra~1\AIM\aim.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
AddRemove-ACF7324C-8AB9-4b4c-A761-D22EBD9D1A7B_is1 - c:\program files\Google\Google Desktop Search\unins000.exe
AddRemove-Derive 6 Trial Edition - c:\downloads\Apps\Derive 6 Trial Edition\unwise.exe
AddRemove-mIRC - c:\downloads\Setup Programs\SPPScript4\mirc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 14:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?5?5?1??p???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2977375557-1984455187-312769585-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1D4A8B29-56AE-1381-E5E8-A3AACD4303FF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oappbnceejlpidjdipkbnekafaofbk"=hex:64,61,63,67,6c,6c,61,68,00,d0
"oadpbbfjepednpnjikdjoldmjipbfk"=hex:69,61,70,66,67,6c,70,6e,6b,6e,64,6e,6e,63,
64,68,69,6a,00,00
"nabpdaaecnjhmahjlphcjjnnijcm"=hex:6a,61,63,67,69,6d,61,6a,61,63,66,70,6b,61,
6d,6f,6d,67,6b,68,00,fd

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}*]
"YKBG4FY6MRBLZHWNMN5KORGMPA1"=hex:01,00,01,00,00,00,00,00,da,37,90,89,91,09,97,
9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]
"YKBG4FY6MRBLZHWNMN5KORGMPA1"=hex:01,00,01,00,00,00,00,00,da,37,90,89,91,09,97,
9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\tray.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\SafeConnect\scManager.sys
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-16 14:54:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 19:54

Pre-Run: 29,578,305,536 bytes free
Post-Run: 30,327,566,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - B4A4042566EAE2EE0D4B2AE3749F00AC

Gmer

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 20:18:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JSLYE~1\LOCALS~1\Temp\uwrcrpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}
Reg HKLM\SOFTWARE\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}@YKBG4FY6MRBLZHWNMN5KORGMPA1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}
Reg HKLM\SOFTWARE\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}@YKBG4FY6MRBLZHWNMN5KORGMPA1 0x01 0x00 0x01 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1D4A8B29-56AE-1381-E5E8-A3AACD4303FF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1D4A8B29-56AE-1381-E5E8-A3AACD4303FF}@oappbnceejlpidjdipkbnekafaofbk 0x64 0x61 0x63 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1D4A8B29-56AE-1381-E5E8-A3AACD4303FF}@oadpbbfjepednpnjikdjoldmjipbfk 0x69 0x61 0x70 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1D4A8B29-56AE-1381-E5E8-A3AACD4303FF}@nabpdaaecnjhmahjlphcjjnnijcm 0x6A 0x61 0x63 0x67 ...

---- EOF - GMER 1.0.15 ----

Attached Files



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:46 PM

Posted 16 January 2010 - 10:03 PM

Hi younglink7,



As to DEP issues, you may turn it on as instructed in this thread . Then check if Chrome can work properly. If not, you're well advised to uninstall and reinstall it.

After that, please uninstall outdated java versions (J2SE Development Kit 5.0 Update 4, J2SE Runtime Environment 5.0 Update 4, J2SE Runtime Environment 5.0 Update 6 and Java™ 6 Update 7)

and Viewpoint Manager, Viewpoint Media Player via Add/Remove Programs and clear java cache as instructed in this thread .


Step1
  1. Please download Flash_Disinfector and save it to your desktop.
  2. Double click to run it.
  3. You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.
  4. Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  5. When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  6. Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.


Step2
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
DDS::
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
mRun: []
Trusted Zone: turbotax.com

RegNull::
[HKEY_USERS\S-1-5-21-2977375557-1984455187-312769585-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1D4A8B29-56AE-1381-E5E8-A3AACD4303FF}*]

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step3

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install it manually.
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



In your next reply, please post back:

1.Combofix log
2.MBAM log

Tell me if you have any remaining issues on your pc.

#7 younglink7

younglink7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 16 January 2010 - 10:13 PM

QUOTE
As to DEP issues, you may turn it on as instructed in this thread . Then check if Chrome can work properly. If not, you're well advised to uninstall and reinstall it.


Sorry for slowing down the process here, but I checked the settings that the link said to check, and my computer indicates that DEP is already on. Did you mean to say to turn it off like the thread talks about, or leave it on?

Thanks!

EDIT:

Also,

QUOTE
Step1

1. Please download Flash_Disinfector and save it to your desktop.
2. Double click to run it.
3. You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.


Am I supposed to plug in a flash drive for this step? Or are these just general directions for people with infected flash drives?

Edited by younglink7, 16 January 2010 - 10:16 PM.


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:46 PM

Posted 16 January 2010 - 10:20 PM

Hi younglink7,


You may turn it off, reboot your pc and see what happens. If everything goes smoothly, you may turn it on if you feel comfortable. For more info: This threrad .

Edited by sundavis, 16 January 2010 - 10:23 PM.


#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:46 PM

Posted 16 January 2010 - 10:22 PM

QUOTE
Am I supposed to plug in a flash drive for this step


Definitely.

#10 younglink7

younglink7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 17 January 2010 - 12:13 AM

Hello again! Thanks for everything - it all seems to be running smoothly and without redirects! When I used Combofix, it asked me to update, so I pressed "yes." I hope that doesn't affect anything. Below are the two logs:

ComboFix 10-01-16.02 - J Slye 01/16/2010 23:31:08.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1399 [GMT -5:00]
Running from: c:\documents and settings\J Slye\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\J Slye\Desktop\CFScript.txt
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-15 05:37 . 2010-01-15 05:37 -------- d-----w- c:\program files\PS3 Media Server
2010-01-14 17:58 . 2010-01-14 17:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-01-05 22:41 . 2010-01-11 06:55 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-21 23:32 . 2010-01-06 01:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-21 18:56 . 2009-12-21 18:56 -------- d-----w- c:\program files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 04:14 . 2007-05-13 20:29 -------- d-----w- c:\documents and settings\J Slye\Application Data\Viewpoint
2010-01-17 04:14 . 2006-08-07 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-17 04:14 . 2006-08-07 14:08 -------- d-----w- c:\program files\Viewpoint
2010-01-17 04:09 . 2006-02-17 08:02 -------- d-----w- c:\program files\Java
2010-01-16 17:26 . 2004-08-04 13:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-16 00:19 . 2009-11-05 23:17 -------- d-----w- c:\documents and settings\J Slye\Application Data\vlc
2010-01-15 05:40 . 2008-01-18 22:49 -------- d-----w- c:\documents and settings\J Slye\Application Data\U3
2010-01-15 05:23 . 2009-11-07 03:12 -------- d-----w- c:\documents and settings\J Slye\Application Data\AIMP
2010-01-11 06:55 . 2009-12-12 18:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 02:02 . 2009-11-07 03:11 -------- d-----w- c:\program files\AIMP2
2010-01-08 20:34 . 2009-02-02 14:58 -------- d-----w- c:\program files\SafeConnect
2010-01-07 21:07 . 2009-12-12 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-12 18:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 08:04 . 2007-07-28 05:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-06 01:23 . 2008-10-16 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-12-21 16:16 . 2009-12-10 19:08 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-12 18:09 . 2009-12-12 18:09 -------- d-----w- c:\documents and settings\J Slye\Application Data\Malwarebytes
2009-12-12 18:09 . 2009-12-12 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 09:17 . 2006-02-17 08:53 -------- d-----w- c:\program files\Google
2009-12-10 11:28 . 2009-12-10 11:28 216 ----a-w- c:\documents and settings\J Slye\qpbdjL.bat
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\J Slye\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-28 22:49 . 2009-10-29 22:55 -------- d-----w- c:\documents and settings\J Slye\Application Data\HpUpdate
2009-11-21 15:51 . 2004-08-10 15:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-07 05:19 . 2009-11-07 05:19 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-07 05:19 . 2009-11-07 05:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-07 05:19 . 2009-11-07 05:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-07 05:19 . 2009-11-07 05:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-07 05:19 . 2009-11-07 05:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-04 02:53 . 2009-11-04 02:53 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-04 01:33 . 2009-11-04 01:33 152576 ----a-w- c:\documents and settings\J Slye\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 07:46 . 2004-08-10 15:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 15:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 15:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 15:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 15:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-07 02:25 . 2009-08-06 23:54 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Google Update"="c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-07 30192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-10 2043160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-1-12 1175552]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2007-11-13 297240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-07 05:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-10-04 15:58 184320 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-11-11 05:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2005-12-07 18:56 409600 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 20:45 507904 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
2003-07-07 13:29 729088 -c--a-w- c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 15:00 49152 -c--a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 18:23 1187840 -c----w- c:\windows\SMINST\Recguard.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rockstar Games\\GTA2\\gta2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Essentials\\Apps\\UrbanTerror\\ioUrbanTerror.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Documents and Settings\\J Slye\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\J Slye\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20887:TCP"= 20887:TCP:spport
"5961:TCP"= 5961:TCP:spport
"17099:TCP"= 17099:TCP:spport
"9774:TCP"= 9774:TCP:spport
"25179:TCP"= 25179:TCP:spport
"26587:TCP"= 26587:TCP:spport
"12866:TCP"= 12866:TCP:spport
"27928:TCP"= 27928:TCP:spport

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/7/2009 12:19 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/7/2009 12:19 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/7/2009 12:19 AM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/7/2009 12:19 AM 297752]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 3:33 PM 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 3:32 PM 28800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/14/2009 4:42 PM 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/6/2009 6:54 PM 30192]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 21:41]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 21:41]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2977375557-1984455187-312769585-1005Core.job
- c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 17:38]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2977375557-1984455187-312769585-1005UA.job
- c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 17:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\J Slye\Application Data\Mozilla\Firefox\Profiles\l5r3rtoa.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/#inbox
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\J Slye\Application Data\Mozilla\Firefox\Profiles\l5r3rtoa.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\J Slye\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\J Slye\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\essentials\Apps\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: c:\essentials\Apps\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("pfs.datasource.url", "chrome://cck/content/cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("app.update.url", "chrome://cck/content/cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("browser.throbber.url", "chrome://cck/content/cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage", "resource:/browserconfig-cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("browser.startup.homepage_reset", "resource:/browserconfig-cck.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox-cck.js - pref("general.useragent.vendorComment", "CK-A9");
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 23:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?5?5?1??????? ???B?????????????hLC? ??????

scanning hidden files ...


c:\docume~1\JSLYE~1\LOCALS~1\Temp\Perflib_Perfdata_1690.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}*]
"YKBG4FY6MRBLZHWNMN5KORGMPA1"=hex:01,00,01,00,00,00,00,00,da,37,90,89,91,09,97,
9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]
"YKBG4FY6MRBLZHWNMN5KORGMPA1"=hex:01,00,01,00,00,00,00,00,da,37,90,89,91,09,97,
9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\tray.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-16 23:43:56
ComboFix-quarantined-files.txt 2010-01-17 04:43
ComboFix2.txt 2010-01-16 19:54

Pre-Run: 30,818,840,576 bytes free
Post-Run: 30,774,353,920 bytes free

- - End Of File - - 119EEAEC0C2490F7A16EA8310E1BA8AE

MBAM

Malwarebytes' Anti-Malware 1.44
Database version: 3581
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/16/2010 11:56:40 PM
mbam-log-2010-01-16 (23-56-40).txt

Scan type: Quick Scan
Objects scanned: 125783
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:46 PM

Posted 17 January 2010 - 01:12 AM

Hi younglink7,



QUOTE
When I used Combofix, it asked me to update, so I pressed "yes

That sounds good. thumbup2.gif Please delete the following folders manually.

c:\documents and settings\J Slye\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint

Other than that, your system appears clean now. thumbup.gif If you have no remaining concrens on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!


#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:46 PM

Posted 18 January 2010 - 10:57 AM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users