Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infected but not sure what?


  • This topic is locked This topic is locked
21 replies to this topic

#1 tripplej

tripplej

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 28 February 2010 - 02:50 AM

Hi,

I have been trying to work out why when I do a search in google it keeps getting redirected. I have downloaded a few spyware program and what its found it has deleted, but I am still having the same problem.

I downloaded Malawares and it didnt find anything.

I have just run hijack this see results below, I have run a few other, but not sure what you need to help me out.

Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:31 PM, on 28/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/def...://au.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SetDefPrt2] C:\Program Files\Brother\Brmfl06b\BrStDvPt.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://216.240.157.195/bigw/ax/ImageUploader5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: TPSvc - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: getPlusŪ Installer - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
O23 - Service: XAudioService - Unknown owner - C:\WINDOWS\system32\DRIVERS\xaudio.exe (file missing)

--
End of file - 10685 bytes

Attached Files


Edited by tripplej, 28 February 2010 - 03:10 AM.


BC AdBot (Login to Remove)

 


#2 tripplej

tripplej
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 01 March 2010 - 04:22 PM

Hi,

Just some further info..I installed stop zilla, and it came up with about 90 problems, but when I ran, malawares and spybot it didnt come up with anything.

The browswer situation is getting worse, it is even bring up a pop up window. Prior to all of this I wasnt getting any pop up windows. IE would always ask me to accept a new pop up window, if that makes sense.

I appreciate you guys are very busy, but if their is anyone that can help me solve my problem, I would really appreciate it, I have tried everything I know but its beyond my skills, surfed the net but cant seem to find a solution and google is very frustrating with the redirecting problem.....

Thanks again for taking the time to read this....

Thanks smile.gif

Edited by tripplej, 01 March 2010 - 04:23 PM.


#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:41 PM

Posted 03 March 2010 - 09:05 PM

Hello tripplej smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.






    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #4 tripplej

    tripplej
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:41 AM

    Posted 05 March 2010 - 05:16 AM

    Hi Thanks for your help as requested here is the DSS file:
    Note: I am not sure what are script blockers, I dont think I have any...

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Sharon at 21:12:05.95 on Fri 05/03/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.681 [GMT 11:00]

    AV: HAURI AntiVirus ViRobot *On-access scanning enabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    svchost.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
    C:\DOCUME~1\Sharon\LOCALS~1\Temp\RtkBtMnt.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsock.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Pando Networks\Pando\Pando.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hauri\Common\Base\vrscan.exe
    C:\Program Files\Hauri\ViRobot Desktop 5.5\hpcsvc.exe
    C:\Program Files\Hauri\Common\hsvcmod.exe
    C:\Program Files\Hauri\Common\Base\vrmonsvc.exe
    C:\Program Files\Hauri\Common\Base\vrrepair.exe
    C:\Program Files\Hauri\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe
    C:\Program Files\Hauri\Common\Base\vrmonnt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Sharon\Desktop\New Folder\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
    uURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
    uWindows: run=0000
    uWindows: load=0000
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
    BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File
    BHO: IEHelpObj Class: {ec45e3fe-c16d-4f24-9238-d1b49ad74815} - c:\program files\hauri\virobot desktop 5.5\service\hWebMan.dll
    TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [InCD] c:\program files\ahead\incd\InCD.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
    mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
    mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
    mRun: [SetDefPrt2] c:\program files\brother\brmfl06b\BrStDvPt.exe
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Vrmon] c:\program files\hauri\common\base\VRMONNT.EXE
    mRun: [HEProtect] c:\program files\hauri\virobot desktop 5.5\antispam\HSockPE.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
    DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://216.240.157.195/bigw/ax/ImageUploader5.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {BA3ED5CB-4935-4B1C-A418-AC9CCE2275C1} - hxxp://hglobal.globalhauri.com/HProduct/LCS2p/globalhauri/CLIENT/LCS2p/web/hLcs2Pre.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Notify: igfxcui - igfxdev.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\sharon\applic~1\mozilla\firefox\profiles\a301cii2.default\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - www.google.com.au
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
    FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
    R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-29 464264]
    R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-29 234888]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-3-27 165160]
    R2 hpcsvc;ViRobot Communication Service;c:\program files\hauri\virobot desktop 5.5\hpcsvc.exe [2010-3-2 513616]
    R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
    R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
    R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-12-23 14976]
    R2 ViRobot Common Scan Service;ViRobot Common Scan Service;c:\program files\hauri\common\base\vrscan.exe [2010-3-2 172032]
    R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [2008-11-11 74624]
    R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100304.005\NAVENG.sys [2010-3-5 84912]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100304.005\NAVEX15.sys [2010-3-5 1324720]
    R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2010-3-2 84736]
    R3 vrrepair;ViRobot Repairing Service;c:\program files\hauri\common\base\vrrepair.exe [2010-3-2 502368]
    R3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2010-3-2 21016]
    S2 TVService;TVService;c:\program files\team mediaportal\mediaportal tv server\TvService.exe [2009-5-9 192512]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-12-27 1684736]
    S3 benqusbser;BenQ Handset USB Device for Legacy Serial Communication;c:\windows\system32\drivers\BenQusbser.sys [2008-3-26 100992]
    S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [2008-11-11 97664]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]
    S3 getPlus® Installer;getPlus® Installer;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
    S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2009-11-10 572544]
    S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [2009-9-26 352000]

    =============== Created Last 30 ================

    2010-03-03 07:21:17 244 ---ha-w- C:\sqmnoopt11.sqm
    2010-03-03 07:21:17 232 ---ha-w- C:\sqmdata11.sqm
    2010-03-02 09:46:31 40 ----a-w- c:\windows\HEPMain.INI
    2010-03-02 05:47:09 0 d-----w- c:\docume~1\sharon\applic~1\HAURI
    2010-03-02 05:16:52 33080 ------w- c:\windows\system32\drivers\vracfil.sys
    2010-03-02 05:16:51 21016 ------w- c:\windows\system32\drivers\VRsecos.sys
    2010-03-02 05:16:50 84736 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
    2010-03-02 05:16:48 115072 ----a-w- c:\windows\system32\drivers\vradfil.sys
    2010-03-02 05:16:41 403051 ------w- c:\windows\system32\drivers\virobot.vib
    2010-03-02 01:31:57 869768 ----a-w- c:\windows\system32\lsuni2.exe
    2010-03-02 01:17:46 0 d-----w- c:\windows\system32\LcSkin
    2010-03-02 01:17:45 0 d-----w- c:\program files\HAURI
    2010-02-28 08:57:09 0 d-----w- c:\program files\Everything
    2010-02-28 06:10:05 77312 ----a-w- c:\windows\MBR.exe
    2010-02-28 06:10:04 261632 ----a-w- c:\windows\PEV.exe
    2010-02-28 05:31:59 0 d-----w- c:\windows\system32\appmgmt
    2010-02-28 02:37:48 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-02-28 02:36:58 2200 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-28 02:16:30 0 d-sha-r- C:\cmdcons
    2010-02-28 02:13:11 98816 ----a-w- c:\windows\sed.exe
    2010-02-28 02:13:11 161792 ----a-w- c:\windows\SWREG.exe
    2010-02-27 13:40:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-02-27 10:50:20 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
    2010-02-27 10:49:24 0 d-----w- c:\program files\common files\iS3
    2010-02-27 10:49:24 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
    2010-02-27 09:26:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
    2010-02-27 09:26:12 0 d-----w- c:\program files\Security Task Manager
    2010-02-27 06:10:13 0 d-----w- c:\program files\Spyware Doctor
    2010-02-27 06:10:13 0 d-----w- c:\docume~1\sharon\applic~1\PC Tools
    2010-02-27 06:10:13 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
    2010-02-25 16:06:54 0 d-----w- c:\program files\Trend Micro
    2010-02-24 13:53:41 244 ---ha-w- C:\sqmnoopt10.sqm
    2010-02-24 13:53:41 232 ---ha-w- C:\sqmdata10.sqm
    2010-02-09 13:26:41 0 d-----w- c:\program files\common files\PCSuite
    2010-02-09 13:26:36 0 d-----w- c:\program files\common files\Nokia
    2010-02-09 13:26:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2010-02-09 13:26:18 0 d-----w- c:\program files\PC Connectivity Solution
    2010-02-09 13:25:55 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
    2010-02-09 13:25:54 0 d-----w- c:\program files\Nokia

    ==================== Find3M ====================

    2010-03-01 03:24:18 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-01-07 05:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 05:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-03 00:59:46 737280 ----a-w- c:\windows\iun6002.exe
    2009-12-18 07:15:30 1324504 ----a-w- c:\windows\system32\hIns2p.exe
    2009-12-11 05:46:27 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
    2009-08-13 18:18:32 88 --sh--r- c:\windows\system32\A0EC11609E.sys

    ============= FINISH: 21:13:16.70 ===============

    Attached Files



    #5 tripplej

    tripplej
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:41 AM

    Posted 05 March 2010 - 06:25 AM

    Here is the GMER file, unforutunately I had problems running it, so had to remove the files and registry option.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-03-05 22:20:54
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Sharon\LOCALS~1\Temp\kfwyipoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \FileSystem\Ntfs \Ntfs vracfil.sys (VRAC Filter for Windows NT/2K/XP/HAURI)
    AttachedDevice \FileSystem\Ntfs \Ntfs VRADFIL.SYS (VR Filter for Windows NT/2K/XP/Vista/Win7/Hauri, Inc.)

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort0 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort1 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort2 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort3 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

    AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat vracfil.sys (VRAC Filter for Windows NT/2K/XP/HAURI)
    AttachedDevice \FileSystem\Fastfat \Fat VRADFIL.SYS (VR Filter for Windows NT/2K/XP/Vista/Win7/Hauri, Inc.)

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----


    #6 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:41 PM

    Posted 05 March 2010 - 09:21 AM

    You did fine, we'll go with ComboFix next:



    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #7 tripplej

    tripplej
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:41 AM

    Posted 05 March 2010 - 10:17 AM

    Hi,

    Just wanted to let you know I am having trouble running the combofix exe as it keeps hanging... any ideas on what I can do.

    #8 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:41 PM

    Posted 05 March 2010 - 10:39 AM

    Are you disabling both Symantec and TeaTimer first?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #9 tripplej

    tripplej
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:41 AM

    Posted 05 March 2010 - 10:48 AM

    Symantec was disabled, and I believe I deleted tea timer. I downloaded the second link and it appears to have work, now I am not sure if I managed to disable Hauri. It kept coming up saying it was still active, but I went into the software and stopped the real time scanning...

    Here is the log file... thanks

    ComboFix 10-03-04.05 - Sharon 06/03/2010 2:32.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1540 [GMT 11:00]
    Running from: c:\documents and settings\Sharon\Desktop\New Folder\ComboFix.exe
    AV: HAURI AntiVirus ViRobot *On-access scanning enabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
    .

    2010-03-03 23:21 . 2010-03-03 23:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-03-02 05:47 . 2010-03-05 02:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\HAURI
    2010-03-02 05:16 . 2010-01-04 23:32 33080 ------w- c:\windows\system32\drivers\vracfil.sys
    2010-03-02 05:16 . 2010-01-04 23:32 21016 ------w- c:\windows\system32\drivers\VRsecos.sys
    2010-03-02 05:16 . 2010-01-04 23:32 84736 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
    2010-03-02 05:16 . 2010-03-02 05:35 115072 ----a-w- c:\windows\system32\drivers\vradfil.sys
    2010-03-02 01:31 . 2010-03-02 01:31 869768 ----a-w- c:\windows\system32\lsuni2.exe
    2010-03-02 01:17 . 2010-03-02 04:30 -------- d-----w- c:\windows\system32\LcSkin
    2010-03-02 01:17 . 2010-03-02 05:15 -------- d-----w- c:\program files\HAURI
    2010-02-28 13:29 . 2010-02-28 13:31 -------- d-----w- C:\rsit
    2010-02-28 08:57 . 2010-02-28 11:56 -------- d-----w- c:\program files\Everything
    2010-02-28 02:55 . 2010-02-28 02:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-02-27 13:40 . 2010-03-03 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-27 10:50 . 2010-02-27 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-27 10:49 . 2010-02-28 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-27 10:49 . 2010-02-27 10:49 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-27 06:14 . 2010-02-27 06:14 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Threat Expert
    2010-02-27 06:10 . 2010-03-03 02:05 -------- d-----w- c:\program files\Spyware Doctor
    2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Tools
    2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-02-25 16:06 . 2010-02-25 16:06 -------- d-----w- c:\program files\Trend Micro
    2010-02-09 13:28 . 2010-02-09 13:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\Nokia
    2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Suite
    2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
    2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\PCSuite
    2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\Nokia
    2010-02-09 13:26 . 2008-08-25 22:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\PC Connectivity Solution
    2010-02-09 13:25 . 2009-10-06 00:52 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
    2010-02-09 13:25 . 2010-02-09 13:26 -------- d-----w- c:\program files\Nokia
    2010-02-09 13:25 . 2010-02-09 13:24 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web.exe
    2010-02-09 13:25 . 2010-02-09 13:25 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
    2010-02-09 13:25 . 2010-02-09 13:25 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
    2010-02-09 13:25 . 2010-02-09 13:25 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
    2010-02-09 13:25 . 2010-02-09 13:25 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
    2010-02-09 13:25 . 2010-02-09 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-03 13:40 . 2009-11-03 22:54 -------- d-----w- c:\documents and settings\Sharon\Application Data\Canon
    2010-03-03 02:10 . 2008-12-26 15:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-03-02 05:15 . 2008-08-01 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-01 03:24 . 2009-08-13 18:18 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-03-01 03:23 . 2009-04-03 03:17 -------- d-----w- c:\documents and settings\Sharon\Application Data\Azureus
    2010-03-01 03:23 . 2010-01-03 01:04 -------- d-----w- c:\documents and settings\Sharon\Application Data\vlc
    2010-02-28 02:56 . 2010-01-08 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-28 02:46 . 2010-02-28 02:36 2200 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-28 02:45 . 2010-02-28 02:37 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\program files\Security Task Manager
    2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
    2010-02-09 13:26 . 2009-06-25 16:48 -------- d-----w- c:\program files\DIFX
    2010-01-24 08:44 . 2008-08-01 15:59 128728 ----a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-01-24 08:41 . 2008-10-31 19:47 -------- d-----w- c:\program files\Common Files\Adobe
    2010-01-23 06:00 . 2010-01-23 05:59 -------- d-----w- c:\program files\Adobe Media Player
    2010-01-08 22:06 . 2009-09-25 15:56 -------- d-----w- c:\program files\Microsoft SQL Server
    2010-01-08 15:58 . 2010-01-08 06:48 -------- d-----w- c:\program files\PlayBox
    2010-01-08 15:20 . 2010-01-08 15:20 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
    2010-01-08 15:19 . 2010-01-08 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-08 06:48 . 2010-01-08 06:48 -------- d-----w- c:\documents and settings\Sharon\Application Data\PlayBox
    2010-01-08 00:51 . 2009-04-03 03:14 -------- d-----w- c:\program files\Vuze
    2010-01-07 05:07 . 2010-01-08 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 05:07 . 2010-01-08 15:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-04 23:29 . 2010-03-02 05:16 403051 ------w- c:\windows\system32\drivers\virobot.vib
    2010-01-03 00:59 . 2010-01-03 01:00 737280 ----a-w- c:\windows\iun6002.exe
    2009-12-18 07:15 . 2009-12-18 07:15 1324504 ----a-w- c:\windows\system32\hIns2p.exe
    2009-12-15 12:32 . 2009-12-15 12:32 3638 ----a-r- c:\documents and settings\Sharon\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
    2009-12-11 05:46 . 2009-12-11 05:46 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
    2009-08-13 18:18 . 2009-08-13 18:18 88 --sh--r- c:\windows\system32\A0EC11609E.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-02-28_06.48.54 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-03-05 15:12 . 2010-03-05 15:12 16384 c:\windows\Temp\Perflib_Perfdata_714.dat
    - 2001-08-23 12:00 . 2010-02-28 05:53 90340 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2010-03-05 15:16 90340 c:\windows\system32\perfc009.dat
    + 2005-02-13 18:55 . 2005-02-13 18:55 126976 c:\windows\system32\vrpacker.dll
    + 2001-08-23 12:00 . 2010-03-05 15:16 491506 c:\windows\system32\perfh009.dat
    - 2001-08-23 12:00 . 2010-02-28 05:53 491506 c:\windows\system32\perfh009.dat
    + 2002-05-12 23:24 . 2002-05-12 23:24 155648 c:\windows\system32\HVrunzip.dll
    + 2009-08-04 23:53 . 2009-08-04 23:53 543416 c:\windows\system32\hksec.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]

    [HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
    2010-02-16 06:55 2349080 ----a-w- c:\program files\Mininova-Vuze\tbMin1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

    [HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D51D388B-F5DC-471A-A1CE-5E2D671091C0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

    [HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-20 90112]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-06-04 1400944]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-20 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-20 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-20 138008]
    "SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
    "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
    "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
    "SetDefPrt2"="c:\program files\Brother\Brmfl06b\BrStDvPt.exe" [2005-01-26 49152]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]
    "RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
    "Vrmon"="c:\program files\Hauri\Common\Base\VRMONNT.EXE" [2010-01-06 314080]
    "HEProtect"="c:\program files\Hauri\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe" [2010-01-04 385112]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-13 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-12-11 66864]
    Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2009-9-19 151552]
    Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2009-9-19 106496]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\D-Link\\SharePort\\SharePort Network USB Utility.exe"=
    "c:\\Program Files\\Aurora\\Aurora.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "58905:TCP"= 58905:TCP:Pando
    "58905:UDP"= 58905:UDP:Pando
    "5353:TCP"= 5353:TCP:Adobe CSI CS4

    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 1:03 PM 169312]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 3:16 PM 79432]
    R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [29/08/2009 3:27 PM 464264]
    R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [29/08/2009 3:28 PM 234888]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [27/03/2009 4:54 PM 165160]
    R2 hpcsvc;ViRobot Communication Service;c:\program files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe [2/03/2010 4:16 PM 513616]
    R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [23/12/2009 4:11 PM 14976]
    R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [11/11/2008 4:01 PM 74624]
    R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2/03/2010 4:16 PM 84736]
    S2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [9/05/2009 9:36 AM 192512]
    S2 ViRobot Common Scan Service;ViRobot Common Scan Service;c:\program files\HAURI\Common\Base\vrscan.exe [2/03/2010 4:16 PM 172032]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [27/12/2008 3:23 PM 1684736]
    S3 benqusbser;BenQ Handset USB Device for Legacy Serial Communication;c:\windows\system32\drivers\BenQusbser.sys [26/03/2008 7:48 AM 100992]
    S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [11/11/2008 4:01 PM 97664]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [18/08/2005 7168]
    S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
    S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [10/11/2009 1:46 PM 572544]
    S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [26/09/2009 3:10 AM 352000]
    S3 vrrepair;ViRobot Repairing Service;c:\program files\HAURI\Common\Base\vrrepair.exe [2/03/2010 4:16 PM 502368]
    S3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2/03/2010 4:16 PM 21016]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

    2010-03-05 c:\windows\Tasks\OGADaily.job
    - c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

    2010-03-05 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

    2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{0B1DE980-2276-448A-BF6F-46E749383AD0}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: {BA3ED5CB-4935-4B1C-A418-AC9CCE2275C1} - hxxp://hglobal.globalhauri.com/HProduct/LCS2p/globalhauri/CLIENT/LCS2p/web/hLcs2Pre.cab
    FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\a301cii2.default\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - www.google.com.au
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-06 02:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A53B8C8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
    \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
    \Driver\atapi -> atapi.sys @ 0xb9ef6b3a
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9dffbb0
    PacketIndicateHandler -> NDIS.sys @ 0xb9e0ca21
    SendHandler -> NDIS.sys @ 0xb9dea87b
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
    "ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(196)
    c:\windows\system32\WININET.dll
    c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-03-06 02:45:39
    ComboFix-quarantined-files.txt 2010-03-05 15:45
    ComboFix2.txt 2010-02-28 06:54
    ComboFix3.txt 2010-02-28 06:25
    ComboFix4.txt 2010-02-28 02:45

    Pre-Run: 10,123,083,776 bytes free
    Post-Run: 10,264,637,440 bytes free

    - - End Of File - - EA891269D8250223DEE2E5C3F363F5FB


    #10 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:41 PM

    Posted 05 March 2010 - 11:02 AM

    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

      "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #11 tripplej

    tripplej
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:41 AM

    Posted 05 March 2010 - 11:14 AM

    Here is the log file:

    03:09:44:359 2064 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
    03:09:44:359 2064 ================================================================================
    03:09:44:359 2064 SystemInfo:

    03:09:44:359 2064 OS Version: 5.1.2600 ServicePack: 3.0
    03:09:44:359 2064 Product type: Workstation
    03:09:44:359 2064 ComputerName: SHARON-AVIMTNTW
    03:09:44:359 2064 UserName: Sharon
    03:09:44:359 2064 Windows directory: C:\WINDOWS
    03:09:44:359 2064 Processor architecture: Intel x86
    03:09:44:359 2064 Number of processors: 2
    03:09:44:359 2064 Page size: 0x1000
    03:09:44:375 2064 Boot type: Normal boot
    03:09:44:375 2064 ================================================================================
    03:09:44:375 2064 UnloadDriverW: NtUnloadDriver error 2
    03:09:44:375 2064 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    03:09:44:421 2064 Initialize success
    03:09:44:421 2064
    03:09:44:421 2064 Scanning Services ...
    03:09:44:421 2064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    03:09:44:421 2064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    03:09:44:421 2064 wfopen_ex: Trying to KLMD file open
    03:09:44:421 2064 wfopen_ex: File opened ok (Flags 2)
    03:09:44:421 2064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    03:09:44:421 2064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    03:09:44:421 2064 wfopen_ex: Trying to KLMD file open
    03:09:44:421 2064 wfopen_ex: File opened ok (Flags 2)
    03:09:44:968 2064 GetAdvancedServicesInfo: Raw services enum returned 424 services
    03:09:44:984 2064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    03:09:44:984 2064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    03:09:44:984 2064
    03:09:44:984 2064 Scanning Kernel memory ...
    03:09:44:984 2064 Devices to scan: 2
    03:09:44:984 2064
    03:09:44:984 2064 Driver Name: Disk
    03:09:44:984 2064 IRP_MJ_CREATE : BA10EBB0
    03:09:44:984 2064 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
    03:09:44:984 2064 IRP_MJ_CLOSE : BA10EBB0
    03:09:44:984 2064 IRP_MJ_READ : BA108D1F
    03:09:44:984 2064 IRP_MJ_WRITE : BA108D1F
    03:09:44:984 2064 IRP_MJ_QUERY_INFORMATION : 804F4562
    03:09:44:984 2064 IRP_MJ_SET_INFORMATION : 804F4562
    03:09:44:984 2064 IRP_MJ_QUERY_EA : 804F4562
    03:09:44:984 2064 IRP_MJ_SET_EA : 804F4562
    03:09:44:984 2064 IRP_MJ_FLUSH_BUFFERS : BA1092E2
    03:09:44:984 2064 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
    03:09:44:984 2064 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
    03:09:44:984 2064 IRP_MJ_DIRECTORY_CONTROL : 804F4562
    03:09:44:984 2064 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
    03:09:44:984 2064 IRP_MJ_DEVICE_CONTROL : BA1093BB
    03:09:44:984 2064 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
    03:09:44:984 2064 IRP_MJ_SHUTDOWN : BA1092E2
    03:09:44:984 2064 IRP_MJ_LOCK_CONTROL : 804F4562
    03:09:44:984 2064 IRP_MJ_CLEANUP : 804F4562
    03:09:44:984 2064 IRP_MJ_CREATE_MAILSLOT : 804F4562
    03:09:44:984 2064 IRP_MJ_QUERY_SECURITY : 804F4562
    03:09:44:984 2064 IRP_MJ_SET_SECURITY : 804F4562
    03:09:44:984 2064 IRP_MJ_POWER : BA10AC82
    03:09:44:984 2064 IRP_MJ_SYSTEM_CONTROL : BA10F99E
    03:09:44:984 2064 IRP_MJ_DEVICE_CHANGE : 804F4562
    03:09:44:984 2064 IRP_MJ_QUERY_QUOTA : 804F4562
    03:09:44:984 2064 IRP_MJ_SET_QUOTA : 804F4562
    03:09:44:984 2064 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
    03:09:44:984 2064 sion
    03:09:45:000 2064 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    03:09:45:000 2064
    03:09:45:000 2064 Driver Name: atapi
    03:09:45:000 2064 IRP_MJ_CREATE : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_CREATE_NAMED_PIPE : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_CLOSE : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_READ : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_WRITE : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_QUERY_INFORMATION : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_SET_INFORMATION : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_QUERY_EA : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_SET_EA : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_FLUSH_BUFFERS : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_QUERY_VOLUME_INFORMATION : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_SET_VOLUME_INFORMATION : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_DIRECTORY_CONTROL : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_FILE_SYSTEM_CONTROL : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_DEVICE_CONTROL : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_SHUTDOWN : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_LOCK_CONTROL : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_CLEANUP : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_CREATE_MAILSLOT : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_QUERY_SECURITY : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_SET_SECURITY : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_POWER : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_SYSTEM_CONTROL : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_DEVICE_CHANGE : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_QUERY_QUOTA : B9EF6B3A
    03:09:45:000 2064 IRP_MJ_SET_QUOTA : B9EF6B3A
    03:09:45:000 2064 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
    03:09:45:000 2064 TDL3_IrpHookDetect: New IrpHandler addr: 8A53B8C8
    03:09:45:000 2064 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
    03:09:45:000 2064 Driver "atapi" Irp handler infected by TDSS rootkit ... 03:09:45:000 2064 cured
    03:09:45:000 2064 siohd: 0
    03:09:45:015 2064 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
    03:09:45:015 2064 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 03:09:45:015 2064 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
    03:09:45:015 2064 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
    03:09:45:421 2064 vfvi6
    03:09:45:484 2064 !dsvbh1
    03:09:51:734 2064 dsvbh2
    03:09:51:734 2064 fdfb2
    03:09:51:734 2064 Backup copy found, using it..
    03:09:51:781 2064 will be cured on next reboot
    03:09:51:781 2064 Reboot required for cure complete..
    03:09:51:796 2064 Cure on reboot scheduled successfully
    03:09:51:796 2064
    03:09:51:796 2064 Completed
    03:09:51:796 2064
    03:09:51:796 2064 Results:
    03:09:51:796 2064 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
    03:09:51:796 2064 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    03:09:51:796 2064 File objects infected / cured / cured on reboot: 1 / 0 / 1
    03:09:51:796 2064
    03:09:51:796 2064 UnloadDriverW: NtUnloadDriver error 1
    03:09:51:796 2064 KLMD_Unload: UnloadDriverW(klmd21) error 1
    03:09:51:796 2064 KLMD(ARK) unloaded successfully


    #12 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:41 PM

    Posted 05 March 2010 - 11:16 AM

    That looks good, please rerun ComboFix and post the log it produces.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #13 tripplej

    tripplej
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:41 AM

    Posted 05 March 2010 - 11:36 AM

    Here is the scan:

    ComboFix 10-03-04.05 - Sharon 06/03/2010 3:27.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2038.1403 [GMT 11:00]
    Running from: c:\documents and settings\Sharon\Desktop\New Folder\ComboFix.exe
    AV: HAURI AntiVirus ViRobot *On-access scanning enabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
    .

    2010-03-03 23:21 . 2010-03-03 23:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-03-02 05:47 . 2010-03-05 02:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\HAURI
    2010-03-02 05:16 . 2010-01-04 23:32 33080 ------w- c:\windows\system32\drivers\vracfil.sys
    2010-03-02 05:16 . 2010-01-04 23:32 21016 ------w- c:\windows\system32\drivers\VRsecos.sys
    2010-03-02 05:16 . 2010-01-04 23:32 84736 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
    2010-03-02 05:16 . 2010-03-02 05:35 115072 ----a-w- c:\windows\system32\drivers\vradfil.sys
    2010-03-02 01:31 . 2010-03-02 01:31 869768 ----a-w- c:\windows\system32\lsuni2.exe
    2010-03-02 01:17 . 2010-03-02 04:30 -------- d-----w- c:\windows\system32\LcSkin
    2010-03-02 01:17 . 2010-03-02 05:15 -------- d-----w- c:\program files\HAURI
    2010-02-28 13:29 . 2010-02-28 13:31 -------- d-----w- C:\rsit
    2010-02-28 08:57 . 2010-02-28 11:56 -------- d-----w- c:\program files\Everything
    2010-02-28 02:55 . 2010-02-28 02:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-02-27 13:40 . 2010-03-03 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-27 10:50 . 2010-02-27 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-27 10:49 . 2010-02-28 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-27 10:49 . 2010-02-27 10:49 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-27 06:14 . 2010-02-27 06:14 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Threat Expert
    2010-02-27 06:10 . 2010-03-03 02:05 -------- d-----w- c:\program files\Spyware Doctor
    2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Tools
    2010-02-27 06:10 . 2010-02-27 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-02-25 16:06 . 2010-02-25 16:06 -------- d-----w- c:\program files\Trend Micro
    2010-02-09 13:28 . 2010-02-09 13:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\Nokia
    2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\Sharon\Application Data\PC Suite
    2010-02-09 13:28 . 2010-02-09 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
    2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\PCSuite
    2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\Common Files\Nokia
    2010-02-09 13:26 . 2008-08-25 22:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2010-02-09 13:26 . 2010-02-09 13:26 -------- d-----w- c:\program files\PC Connectivity Solution
    2010-02-09 13:25 . 2009-10-06 00:52 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
    2010-02-09 13:25 . 2010-02-09 13:26 -------- d-----w- c:\program files\Nokia
    2010-02-09 13:25 . 2010-02-09 13:24 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web.exe
    2010-02-09 13:25 . 2010-02-09 13:25 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
    2010-02-09 13:25 . 2010-02-09 13:25 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
    2010-02-09 13:25 . 2010-02-09 13:25 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
    2010-02-09 13:25 . 2010-02-09 13:25 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
    2010-02-09 13:25 . 2010-02-09 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-05 16:17 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-03-03 13:40 . 2009-11-03 22:54 -------- d-----w- c:\documents and settings\Sharon\Application Data\Canon
    2010-03-03 02:10 . 2008-12-26 15:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-03-02 05:15 . 2008-08-01 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-01 03:24 . 2009-08-13 18:18 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-03-01 03:23 . 2009-04-03 03:17 -------- d-----w- c:\documents and settings\Sharon\Application Data\Azureus
    2010-03-01 03:23 . 2010-01-03 01:04 -------- d-----w- c:\documents and settings\Sharon\Application Data\vlc
    2010-02-28 02:56 . 2010-01-08 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-28 02:46 . 2010-02-28 02:36 2200 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-28 02:45 . 2010-02-28 02:37 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\program files\Security Task Manager
    2010-02-27 10:38 . 2010-02-27 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
    2010-02-09 13:26 . 2009-06-25 16:48 -------- d-----w- c:\program files\DIFX
    2010-01-24 08:44 . 2008-08-01 15:59 128728 ----a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-01-24 08:41 . 2008-10-31 19:47 -------- d-----w- c:\program files\Common Files\Adobe
    2010-01-23 06:00 . 2010-01-23 05:59 -------- d-----w- c:\program files\Adobe Media Player
    2010-01-08 22:06 . 2009-09-25 15:56 -------- d-----w- c:\program files\Microsoft SQL Server
    2010-01-08 15:58 . 2010-01-08 06:48 -------- d-----w- c:\program files\PlayBox
    2010-01-08 15:20 . 2010-01-08 15:20 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
    2010-01-08 15:19 . 2010-01-08 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-08 06:48 . 2010-01-08 06:48 -------- d-----w- c:\documents and settings\Sharon\Application Data\PlayBox
    2010-01-08 00:51 . 2009-04-03 03:14 -------- d-----w- c:\program files\Vuze
    2010-01-07 05:07 . 2010-01-08 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 05:07 . 2010-01-08 15:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-04 23:29 . 2010-03-02 05:16 403051 ------w- c:\windows\system32\drivers\virobot.vib
    2010-01-03 00:59 . 2010-01-03 01:00 737280 ----a-w- c:\windows\iun6002.exe
    2009-12-18 07:15 . 2009-12-18 07:15 1324504 ----a-w- c:\windows\system32\hIns2p.exe
    2009-12-15 12:32 . 2009-12-15 12:32 3638 ----a-r- c:\documents and settings\Sharon\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
    2009-12-11 05:46 . 2009-12-11 05:46 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
    2009-08-13 18:18 . 2009-08-13 18:18 88 --sh--r- c:\windows\system32\A0EC11609E.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-02-28_06.48.54 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-03-05 16:18 . 2010-03-05 16:18 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
    - 2001-08-23 12:00 . 2010-02-28 05:53 90340 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2010-03-05 16:23 90340 c:\windows\system32\perfc009.dat
    + 2005-02-13 18:55 . 2005-02-13 18:55 126976 c:\windows\system32\vrpacker.dll
    + 2001-08-23 12:00 . 2010-03-05 16:23 491506 c:\windows\system32\perfh009.dat
    - 2001-08-23 12:00 . 2010-02-28 05:53 491506 c:\windows\system32\perfh009.dat
    + 2002-05-12 23:24 . 2002-05-12 23:24 155648 c:\windows\system32\HVrunzip.dll
    + 2009-08-04 23:53 . 2009-08-04 23:53 543416 c:\windows\system32\hksec.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]

    [HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
    2010-02-16 06:55 2349080 ----a-w- c:\program files\Mininova-Vuze\tbMin1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

    [HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D51D388B-F5DC-471A-A1CE-5E2D671091C0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2010-02-16 2349080]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

    [HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-20 90112]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-06-04 1400944]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-20 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-20 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-20 138008]
    "SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
    "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
    "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
    "SetDefPrt2"="c:\program files\Brother\Brmfl06b\BrStDvPt.exe" [2005-01-26 49152]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]
    "RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-13 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-12-11 66864]
    Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2009-9-19 151552]
    Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2009-9-19 106496]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\D-Link\\SharePort\\SharePort Network USB Utility.exe"=
    "c:\\Program Files\\Aurora\\Aurora.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "58905:TCP"= 58905:TCP:Pando
    "58905:UDP"= 58905:UDP:Pando
    "5353:TCP"= 5353:TCP:Adobe CSI CS4

    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 1:03 PM 169312]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 3:16 PM 79432]
    R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [29/08/2009 3:27 PM 464264]
    R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [29/08/2009 3:28 PM 234888]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [27/03/2009 4:54 PM 165160]
    R2 hpcsvc;ViRobot Communication Service;c:\program files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe [2/03/2010 4:16 PM 513616]
    R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [23/12/2009 4:11 PM 14976]
    R2 ViRobot Common Scan Service;ViRobot Common Scan Service;c:\program files\HAURI\Common\Base\vrscan.exe [2/03/2010 4:16 PM 172032]
    R3 DlinkUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\DlinkUDSMBus.sys [11/11/2008 4:01 PM 74624]
    R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2/03/2010 4:16 PM 84736]
    S2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [9/05/2009 9:36 AM 192512]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [27/12/2008 3:23 PM 1684736]
    S3 benqusbser;BenQ Handset USB Device for Legacy Serial Communication;c:\windows\system32\drivers\BenQusbser.sys [26/03/2008 7:48 AM 100992]
    S3 DlinkUDSTcpBus;DlinkUDSTcpBus;c:\windows\system32\drivers\DlinkUDSTcpBus.sys [11/11/2008 4:01 PM 97664]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [18/08/2005 7168]
    S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
    S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [10/11/2009 1:46 PM 572544]
    S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [26/09/2009 3:10 AM 352000]
    S3 vrrepair;ViRobot Repairing Service;c:\program files\HAURI\Common\Base\vrrepair.exe [2/03/2010 4:16 PM 502368]
    S3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2/03/2010 4:16 PM 21016]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMDB
    *Deregistered* - klmdb

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

    2010-03-05 c:\windows\Tasks\OGADaily.job
    - c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

    2010-03-05 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

    2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{0B1DE980-2276-448A-BF6F-46E749383AD0}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: {BA3ED5CB-4935-4B1C-A418-AC9CCE2275C1} - hxxp://hglobal.globalhauri.com/HProduct/LCS2p/globalhauri/CLIENT/LCS2p/web/hLcs2Pre.cab
    FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\a301cii2.default\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - www.google.com.au
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-klmdb.sys



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-06 03:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
    "ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3344)
    c:\windows\system32\WININET.dll
    c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-03-06 03:36:25
    ComboFix-quarantined-files.txt 2010-03-05 16:36
    ComboFix2.txt 2010-03-05 15:45
    ComboFix3.txt 2010-02-28 06:54
    ComboFix4.txt 2010-02-28 06:25
    ComboFix5.txt 2010-03-05 16:27

    Pre-Run: 10,291,388,416 bytes free
    Post-Run: 10,277,724,160 bytes free

    - - End Of File - - C1BAD4A13F445F1A81BB4C991DB128D4


    #14 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:41 PM

    Posted 05 March 2010 - 12:00 PM

    I notice you are using P2P programs such as Limewire. These programs present a danger to your machine and leaves you open to possible infection. Whether you continue to use them is of course up to you but I do want to give you the following information on them.


    Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Limewire ). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the Malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

    It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology.




    You also have the ports listed below open which can sometimes lead to problems. If you want to leave them open let me know, if not I can script them closed:



    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "58905:TCP"= 58905:TCP:Pando
    "58905:UDP"= 58905:UDP:Pando
    "5353:TCP"= 5353:TCP:Adobe CSI CS4






    When you reply also let me know if the redirections have stopped yet.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #15 tripplej

    tripplej
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:41 AM

    Posted 05 March 2010 - 12:11 PM

    The redirecting seems to have been fixed....

    I actually dont use limewire, I probably should delete it.

    As for the ports open on the following:

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "58905:TCP"= 58905:TCP:Pando
    "58905:UDP"= 58905:UDP:Pando
    "5353:TCP"= 5353:TCP:Adobe CSI CS4


    Shareport I used that to connect to the usb on the router

    Have no idea what DHCP discovery service is, Pando, I will probably uninstall, but I normally disable when I log on.

    I would say the adobe is their for when I upload pages.

    If you scripted them closed, would that present a problem when I run the program, would it open the ports.

    Could you please tell me with the programs we ran, what appeared to be the problem with this machine was it a virus, spyware etc..

    And I currently use Nortons, but obviously that hasnt been doing the job, what is the best program to protect my machine.

    Thanks again for all your help




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users