Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


XP Smart Security left me a search redirect present

  • This topic is locked This topic is locked
2 replies to this topic

#1 mrmattmedia


  • Members
  • 3 posts
  • Local time:02:50 AM

Posted 15 April 2010 - 10:18 AM

I was infected with XP Smart Security but removed it with help from bleepingcomputer posts. Now I have found a search redirect problem that was left behind. I have searched high and low and run a bunch of different scans but the only solution that looks like it might work is the Gmer/Combo Fix approach and I need some hep to do that. I have run Symante Endpoint, Malwarebytes, Hitman Pro, Webroot Spy Sweeper, HiJack This and Spybot S&D. None have found anything significant. I ran the DDS scan as directed. I also have attempted to run Gmer scans as directed but it crashes repeatedly, I even redownloaded it from another location and that did not fix it either. It would scan for 30+ minutes and not find anything but would give me the BSOD and I would have to restart my machine. It is currently unnplugged from the network and I am posting from another machine.
I am running one more Gmer scan and will note the error message that I get when it crashes.
Also based on my searching I have now updated my Java and removed old versions, and my Adobe Reader should be up-to-date.
One other thing, I see below my Symantec is showing as outdated, we are in the process of replacing it for the office so the definitions are about a month old. We intend to replace it in the next week or so based on our IT service providers advice.

Thank you very much for all your help.

Here is my DDS.txt log

DDS (Ver_10-03-17.01) - NTFSx86
Run by matt at 10:31:26.84 on Thu 04/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.455 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Binn\sqlservr.exe
C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\matt.BENEFIT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\matt.BENEFIT\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bcibenefits.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [CardScan AutoSync]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Google Update] "c:\documents and settings\matt.benefit\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [sealmon] "c:\program files\sealedmedia\sealmon.exe"
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF Converter Registry Controller] "c:\program files\scansoft\pdf converter 2.0 professional\pdfconv\\RegistryController.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_03\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\matt~1.ben\startm~1\programs\startup\bcprog~1.lnk - c:\program files\benefitconceptsprogram\BCProgram.mdb
StartupFolder: c:\docume~1\matt~1.ben\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\belkin\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\scansoft\pdf converter 2.0 professional\pdfconv\IEShellExt.dll /100
IE: Send To &Bluetooth - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {670F87A1-88B0-11d4-9030-000021D9C559} - c:\program files\kmt software\high impact email 3.0\HIE3.exe
IE: {C4A67F75-88B2-11d4-9030-000021D9C559} - c:\program files\kmt software\high impact email 3.0\HIE3.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://nfp.on.intercall.com/confmgr/installs/ICWMInstall.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108743670750
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nfp.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {0946BE3D-3EAA-4172-BBD6-F0B4A1464705} =
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
Hosts: www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 CorexCardScan;CardScan USB Scanner;c:\windows\system32\drivers\slcorex.sys [2004-8-14 8448]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-4 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-4 108392]
R2 MSSQL$ACMIC;MSSQL$ACMIC;c:\program files\microsoft sql server\mssql$acmic\binn\sqlservr.exe -sacmic --> c:\program files\microsoft sql server\mssql$acmic\binn\sqlservr.exe -sACMIC [?]
R2 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [2004-8-14 13824]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\common files\icwm\printer\RDIConverterService.exe [2008-6-19 64888]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2008-4-4 2234296]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-18 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100215.068\NAVENG.SYS [2010-2-16 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100215.068\NAVEX15.SYS [2010-2-16 1324720]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\dm150drv.sys --> c:\windows\system32\drivers\DM150Drv.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-2-21 13352]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec antivirus\smclu\setup\smcinst.exe --> c:\program files\symantec antivirus\smclu\setup\smcinst.exe [?]
S3 SQLAgent$ACMIC;SQLAgent$ACMIC;c:\program files\microsoft sql server\mssql$acmic\binn\sqlagent.exe -i acmic --> c:\program files\microsoft sql server\mssql$acmic\binn\sqlagent.EXE -i ACMIC [?]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-04-14 17:49:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-14 15:21:59 0 d-----w- c:\program files\MSSOAP
2010-04-14 15:21:08 0 d-----w- c:\program files\Webroot
2010-04-14 15:05:50 164 ----a-w- c:\windows\install.dat
2010-04-13 21:11:56 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-13 21:11:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-13 20:29:43 0 d-sh--w- c:\documents and settings\matt.benefit\IECompatCache
2010-04-13 20:29:25 0 d-sh--w- c:\documents and settings\matt.benefit\PrivacIE
2010-04-13 20:26:45 0 d-sh--w- c:\documents and settings\matt.benefit\IETldCache
2010-04-13 20:18:11 0 dc-h--w- c:\windows\ie8
2010-04-13 19:42:33 294912 ----a-w- c:\windows\system32\SET12AE.tmp
2010-04-13 19:42:33 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2010-04-13 18:22:09 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-13 18:19:05 0 d-----w- c:\program files\TrendMicro
2010-04-13 14:31:10 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-13 14:30:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-11 18:28:48 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 15:56:02 54016 ----a-w- c:\windows\system32\drivers\tiqbsp.sys
2010-03-18 20:19:02 0 d-----w- c:\program files\YouTube Downloader

==================== Find3M ====================

2010-04-15 00:22:50 162816 ----a-w- c:\windows\system32\drivers\NETBT.SYS
2010-04-15 00:22:50 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2010-04-14 17:49:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 13:59:35 72080 -c--a-w- c:\documents and settings\matt.benefit\g2mdlhlpx.exe
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-11 21:51:32 80380 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-09 17:01:36 28444 ----a-w- c:\windows\fonts\englbesh.ttf
2010-02-09 17:01:27 13764 ----a-w- c:\windows\fonts\SWYAVIN4.TTF
2010-02-09 17:01:18 13900 ----a-w- c:\windows\fonts\Jedi Solid.TTF
2010-02-09 17:01:06 24856 ----a-w- c:\windows\fonts\Aurek.ttf
2010-02-09 17:01:06 24748 ----a-w- c:\windows\fonts\AUREKNA.TTF
2010-02-09 17:00:54 13296 ----a-w- c:\windows\fonts\AUREHAND.TTF
2010-02-09 17:00:39 34148 ----a-w- c:\windows\fonts\Stjldbl1.ttf
2010-02-09 17:00:39 29840 ----a-w- c:\windows\fonts\Stjldbl2.ttf
2010-02-09 17:00:39 25684 ----a-w- c:\windows\fonts\Strjmono.ttf
2009-05-19 18:56:08 3032828 -c--a-w- c:\program files\mgcontrol65.exe

============= FINISH: 10:33:06.48 ===============

attach.txt is attached as directed.

Hi these are the results from steps 6 to 9 of the preparation guide. I down loaded Combofix but have not ran it as far as I know. Logged on as general user get open with box when trying to use quick links to use Firefox,Comodo firewall etc.
Hope this helps in finding the problem.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jethroww at 9:19:19.53 on Thu 04/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1471.824 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesLClockLClock.exe
C:Program FilesComodoCBOCleanBOCORE.exe
C:Program FilesComodoFirewallCPF.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesMicrosoft IntelliType Proitype.exe
C:Program FilesLexmark 5600-6600 Serieslxdumon.exe
C:Program FilesComodoFirewallcmdagent.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesTaskSwitchXPTaskSwitchXP.exe
C:Program FilesLexmark 5600-6600 SerieslxduMsdMon.exe
C:Program FilesFree Download Managerfdm.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesAVGAVG8avgcsrvx.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsJethrowwDesktopDefogger.exe
C:Documents and SettingsJethrowwDesktopdds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:program fileslexmark toolbartoolband.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:program filesfree download manageriefdmcks.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:program fileslexmark printable webbho.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:program fileslexmark toolbartoolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg8toolbarIEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [TaskSwitchXP] c:program filestaskswitchxpTaskSwitchXP.exe
uRun: [Free Download Manager] c:program filesfree download managerfdm.exe -autorun
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [LClock] c:program fileslclockLClock.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [COMODO Firewall Pro] "c:program filescomodofirewallCPF.exe" /background
mRun: [BOC-425] c:progra~1comodocbocleanBOC425.exe
mRun: [itype] "c:program filesmicrosoft intellitype proitype.exe"
mRun: [lxdumon.exe] "c:program fileslexmark 5600-6600 serieslxdumon.exe"
mRun: [lxduamon] "c:program fileslexmark 5600-6600 serieslxduamon.exe"
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [HitmanPro35] "c:program filebleepman pro 3.5HitmanPro35.exe" /scan:boot
dRun: [TaskSwitchXP] c:program filestaskswitchxpTaskSwitchXP.exe
dRun: [addon_ql] c:windowssystem32dgfix.exe
dRun: [Free Download Manager] c:program filesfree download managerfdm.exe -autorun
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%System32syssetub.dll" "%SystemRoot%System32syssetup.dll"
dRunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:documents and settingsall usersstart menuprogramsstartupKiltemp.cmd
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: Download all with Free Download Manager - file://c:program filesfree download managerdlall.htm
IE: Download selected with Free Download Manager - file://c:program filesfree download managerdlselected.htm
IE: Download with Free Download Manager - file://c:program filesfree download managerdllink.htm
IE: E&xport to Microsoft Excel - c:progra~1micros~1office10EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
Trusted Zone: secunia.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241582528421
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241582442984
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:program filescommon filesmicrosoft sharedweb foldersPKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1jethrowwapplic~1mozillafirefoxprofilesubyl4j3o.default
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:program filesavgavg8firefoxcomponentsavgssff.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils2.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils3.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils35.dll
FF - component: c:program filesavgavg8toolbarfirefoxavg@igearedcomponentsxpavgtbapi.dll
FF - plugin: c:documents and settingsjethrowwapplication datamozillafirefoxprofilesubyl4j3o.defaultextensions{e2883e8f-472f-4fb0-9522-ac9bf37916a7}pluginsnp_gp.dll

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:windowssystem32driversavgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:windowssystem32driversAvgArCln.sys [2008-3-17 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-5-11 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2007-11-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-5-11 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:progra~1avgavg8avgemc.exe [2009-8-20 908056]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-8-20 297752]
R2 BOCore;BOCore;c:program filescomodocbocleanBOCore.exe [2007-12-29 73472]
R2 CmdAgent;Comodo Application Agent;c:program filescomodofirewallcmdagent.exe [2007-11-7 361040]
R2 lxdu_device;lxdu_device;c:windowssystem32lxducoms.exe -service --> c:windowssystem32lxducoms.exe -service [?]
S0 gmncxh;gmncxh;c:windowssystem32driversyvil.sys --> c:windowssystem32driversyvil.sys [?]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:windowssystem32spooldriversw32x863lxduserv.exe [2009-2-15 98984]
S3 NPF;NetGroup Packet Filter Driver;c:windowssystem32driversnpf.sys [2005-10-20 32000]
S3 PSI;PSI;c:windowssystem32driverspsi_mf.sys [2009-3-24 7808]

============== File Associations ===============

inffile=c:windowssystem32NOTEPAD2.EXE %1
inifile=c:windowssystem32NOTEPAD2.EXE %1
txtfile=c:windowsNOTEPAD.EXE %1

=============== Created Last 30 ================

2010-04-15 14:14:44 0 ----a-w- c:documents and settingsjethrowwdefogger_reenable
2010-04-15 13:47:00 0 d-----w- c:program filesMSXML 4.0
2010-04-14 18:39:00 331776 -c----w- c:windowssystem32dllcachemsadce.dll
2010-04-14 18:38:55 1315328 -c----w- c:windowssystem32dllcachemsoe.dll
2010-04-14 18:38:05 272128 -c----w- c:windowssystem32dllcachebthport.sys
2010-04-14 18:37:45 81920 -c----w- c:windowssystem32dllcachefontsub.dll
2010-04-14 18:37:45 119808 -c----w- c:windowssystem32dllcachet2embed.dll
2010-04-14 18:37:45 119808 ----a-w- c:windowssystem32SET16F.tmp
2010-04-14 18:37:38 353792 -c----w- c:windowssystem32dllcachesrv.sys
2010-04-14 18:37:20 153088 -c----w- c:windowssystem32dllcachetriedit.dll
2010-04-14 18:36:26 455680 -c----w- c:windowssystem32dllcachemrxsmb.sys
2010-04-14 18:34:45 471552 -c----w- c:windowssystem32dllcacheaclayers.dll
2010-04-14 18:34:31 1172480 ------w- c:windowssystem32SETFB.tmp
2010-04-14 18:33:49 203136 -c----w- c:windowssystem32dllcachermcast.sys
2010-04-14 18:26:39 691712 -c----w- c:windowssystem32dllcacheinetcomm.dll
2010-04-14 18:25:18 594432 ----a-w- c:windowssystem32SET65.tmp
2010-04-14 18:25:17 55296 ----a-w- c:windowssystem32SET64.tmp
2010-04-14 18:25:16 916480 ----a-w- c:windowssystem32SET5F.tmp
2010-04-14 18:25:15 1985536 ----a-w- c:windowssystem32SET68.tmp
2010-04-14 18:25:14 1209344 ----a-w- c:windowssystem32SET60.tmp
2010-04-14 18:25:13 5944832 ----a-w- c:windowssystem32SET63.tmp
2010-04-14 18:24:25 337408 -c----w- c:windowssystem32dllcachenetapi32.dll
2010-04-14 18:24:25 337408 ----a-w- c:windowssystem32SET4B.tmp
2010-04-14 18:24:21 1172480 -c----w- c:windowssystem32dllcachemsxml3.dll
2010-04-14 18:23:31 2560 ------w- c:windowssystem32xpsp4res.dll
2010-04-14 18:23:30 215552 -c----w- c:windowssystem32dllcachewordpad.exe
2010-04-14 18:23:30 1206508 -c----w- c:windowssystem32dllcachesysmain.sdb
2010-04-14 18:10:56 274288 ----a-w- c:windowssystem32mucltui.dll
2010-04-14 18:10:56 16736 ----a-w- c:windowssystem32mucltui.dll.mui
2010-04-14 14:09:13 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-04-14 14:09:11 20824 ----a-w- c:windowssystem32driversmbam.sys
2010-04-14 14:09:11 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-04-14 14:02:17 0 d--h--w- c:windowsPIF
2010-04-12 01:09:30 12872 ----a-w- c:windowssystem32bootdelete.exe
2010-04-12 01:04:44 15944 ----a-w- c:windowssystem32driverbleepmanpro35.sys
2010-04-12 01:00:57 0 d-----w- c:docume~1alluse~1applic~1Hitman Pro
2010-04-12 01:00:52 0 d-----w- c:program filebleepman Pro 3.5

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:windowssystem32vbscript.dll
2010-02-25 16:54:36 11070976 ----a-w- c:windowssystem32SET6A.tmp
2010-02-24 13:11:07 455680 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-02-17 14:10:28 2189952 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:windowssystem326to4svc.dll

============= FINISH: 9:19:42.06 ===============

Hi I ran Atf and Superantispyware and will post the resutls. While SAS was running this popped up at the bottom

superantispyware.exe corrupt file
the file or directory C: is corrupt and unreadable Please run CHKdsk utility

Does this mean anything?

SUPERAntiSpyware Scan Log

Generated 04/17/2010 at 00:42 AM

Application Version : 4.35.1002

Core Rules Database Version : 4744
Trace Rules Database Version: 2629

Scan type : Complete Scan
Total Scan Time : 01:32:45

Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 4796
Registry threats detected : 0
File items scanned : 72704
File threats detected : 0

Thanks Jethroww hysterical.gif

Merged posts. ~ OB

After some more reading and another failure of GMER (for a different reason each time) I kept reading and tried two other programs. F-Secure Blacklight did not find anything. I then tried RootRepeal and here is the log of what it found:

FYI - the problem seems to come and go, like it is either in the System Restore or the door to the net is being left open and it eventually finds it way back in.



ROOTREPEAL AD, 2007-2009
Scan Start Time: 2010/04/15 14:53
Program Version: Version
Windows Version: Windows XP SP2

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5787000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86f88320

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86de0900

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86e89650

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86da8960

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86f6e528

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86eec328

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86f65110

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x86e21450

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86fcdd78

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86f79938

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86f79888

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86dc23d8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x86e24fc0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86ef7220

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86dd6e50

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86f70d90

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86fcda58

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86f17b00

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86ee41a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86ef47d8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86e3f2b0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86ec6b48

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86e23300

Hidden Services
Service Name: fsbl-standalone
Image Path: C:\DOCUME~1\MATT~1.BEN\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys


Two others things I have noticed:

1. Now it only seems to change searches on Yahoo and Bing but not Google.

2. When it does redirect a search there brief flash of a cursive Q or maybe a 2 in the address bar.

Merged 3 posts. ~ OB

Attached Files

Edited by Orange Blossom, 18 April 2010 - 08:50 AM.

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:08:50 AM

Posted 19 April 2010 - 10:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:08:50 AM

Posted 24 April 2010 - 04:17 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users