Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Problem


  • This topic is locked This topic is locked
21 replies to this topic

#1 Andy77

Andy77

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 04 June 2010 - 01:55 PM

Hi,

I recently posted the following topic for the Google redirect problem I'm having.

http://www.bleepingcomputer.com/forums/topic320484.html

I've followed the advice given by Orange Blossom and created the logs from step 6 onwards in the below guide.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

I hope you can help me with this problem as I can't see how the redirects are happening at all.

Thanks in advance,
Andy.

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:46 PM

Posted 07 June 2010 - 01:53 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Andy77

Andy77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 09 June 2010 - 01:50 PM

Hi,

Apologies for not responding sooner, but the gmer scan took some time to complete.

Just to confirm I'm still having the redirect problem. I have also noticed some redirects on websites other than Google.

I've attached new versions of the Attach, DDS and Ark logs.

Hope you can help me with this problem.

Thanks,
Andy.

Attached Files



#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 09 June 2010 - 09:33 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt
* Still redirected?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 11 June 2010 - 09:57 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 15 June 2010 - 07:18 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 20 June 2010 - 09:36 PM

Welcome back. smile.gif

Since quite a bit of time has elapsed please do this!

==========

First please review my intro in regards to important info.

==========

Next.....

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

==========

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.
QUOTE
To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

==========
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.


    Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All

  4. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  5. Push
  6. A report will open. Copy and Paste that report in your next reply.
  7. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


==========

With your next post please provide:

* OTL.txt
* Extra.txt
* RKU log
* What problems are you currently experiencing?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 Andy77

Andy77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 21 June 2010 - 05:50 PM

Hi,

Apologies for not responding before but I was on holiday and did not have access to the internet or my infected computer.

Thanks for the help you have provided so far.

I've run the OTL and RKU scans and attached the log files.

Also I noticed the following text in the RKU application Report window:
Nothing detected :-(

I've included it as the text does not appear in the RKU text log file.

I'm using IE 8 as my browser and when I do a search using the google toolbar and click on a result I get redirected to a random website. The sites change regularly. The problem also occurs when I search using the search box on the google website itself. However the redirection seems to be more intermittent.

Should I download and run the combofix program as instructed in your post on the 9th of June?

Thanks,
Andy.

Attached Files


Edited by Andy77, 21 June 2010 - 06:24 PM.


#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 21 June 2010 - 05:59 PM

Hello,

Please copy and paste all logs unless I direct you otherwise <-- Important!!!!!!!

excl.gif P2P Warning excl.gif

Your log indicates that you have Azureus, eMule and Limewire installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall Azureus, eMule and Limewire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 Andy77

Andy77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 22 June 2010 - 04:37 PM

Looks like running combofix worked. I haven't had any redirects since executing the application and my computer is working as normal.

I've attached the 2 combofix logs.

I'll keep testing google searches and confirm tomorrow if the redirects have completely gone.

Many thanks for your advice to use combofix.

Cheers,
Andy.




Attached Files



#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 22 June 2010 - 05:17 PM

Hi there,

We are not done yet!! Your still infected!!!

Did you miss this?
QUOTE
Please copy and paste all logs unless I direct you otherwise <-- Important!!!!!!!


I will copy and paste the logs for you. I will need to review those logs then I will post your next steps.

Please reply to this post before we continue.

Thanks,
~ t

==========

ComboFix 10-06-21.01 - Andy 22/06/2010 0:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1048 [GMT 1:00]
Running from: c:\documents and settings\Andy\Desktop\software\bleeping computer instructs\thcbytes.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andy\Application Data\Sky-Banners
c:\documents and settings\Andy\Application Data\Sky-Banners\skb\log.xml
c:\documents and settings\Andy\Application Data\Street-Ads
c:\documents and settings\Andy\Local Settings\Application Data\Windows Server
c:\documents and settings\Andy\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Andy\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\system32\Cache
c:\windows\system32\hlp.dat
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-19 18:48 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-31 20:41 . 2010-05-31 20:41 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\PCHealth
2010-05-31 13:22 . 2010-05-31 13:26 -------- dc-h--w- c:\windows\ie8
2010-05-29 16:46 . 2010-05-29 16:46 -------- d-----w- c:\documents and settings\Andy\Application Data\SUPERAntiSpyware.com
2010-05-29 16:46 . 2010-05-29 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-29 16:46 . 2010-05-29 16:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 15:10 . 2010-05-29 15:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-29 14:38 . 2010-06-21 20:09 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-29 14:37 . 2010-05-29 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-29 14:37 . 2010-05-29 14:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes
2010-05-29 11:46 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-29 11:46 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 03:41 . 2010-05-29 01:45 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-29 03:21 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-29 03:15 . 2010-05-29 03:17 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-29 01:46 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-29 01:46 . 2010-05-29 01:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-29 01:41 . 2010-05-29 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-29 01:39 . 2010-05-29 01:39 -------- d-----w- c:\program files\Trend Micro
2010-05-29 01:03 . 2010-05-29 01:40 -------- d-----w- c:\program files\Lavasoft
2010-05-29 01:03 . 2010-05-29 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-28 23:42 . 2010-05-29 15:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 23:40 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-05-28 23:40 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-05-28 23:40 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-05-28 23:40 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-05-28 23:40 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-05-28 23:40 . 2010-05-28 23:40 -------- d-----w- c:\program files\Trojan Remover
2010-05-28 23:40 . 2010-05-28 23:40 -------- d-----w- c:\documents and settings\Andy\Application Data\Simply Super Software
2010-05-28 23:40 . 2010-05-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-05-28 20:31 . 2010-05-28 23:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 20:31 . 2010-05-28 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 00:23 . 2007-10-27 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-06-20 19:55 . 2010-02-21 21:37 -------- d-----w- c:\program files\FinePixViewer
2010-06-06 13:39 . 2009-11-12 00:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 12:38 . 2009-06-20 20:20 -------- d-----w- c:\program files\Bonjour
2010-05-29 14:31 . 2006-12-09 20:48 -------- d-----w- c:\program files\Google
2010-05-26 23:07 . 2010-05-07 01:03 1190892 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3903979473-2110481818-349968063-1005-0.dat
2010-05-26 23:07 . 2010-05-07 01:03 213046 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-05-23 20:21 . 2010-05-06 19:00 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-05-22 20:30 . 2010-05-22 20:30 -------- d-----w- c:\documents and settings\Andy\Application Data\Microsoft Corporation
2010-05-06 19:45 . 2007-08-25 16:58 -------- d-----w- c:\program files\Microsoft SDKs
2010-05-06 19:10 . 2010-05-06 19:10 -------- d-----w- c:\program files\IIS
2010-05-06 19:05 . 2006-12-02 17:19 55056 ----a-w- c:\documents and settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 19:00 . 2010-05-06 19:00 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-05-06 10:41 . 2006-09-13 12:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 21:58 . 2006-12-02 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-05 21:45 . 2007-08-25 16:58 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-05-02 05:22 . 2006-09-13 12:42 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 20:08 . 2010-04-26 20:08 -------- d-----w- c:\program files\Open XML SDK
2010-04-20 05:30 . 2006-09-13 12:41 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-29 21:01 . 2010-03-29 21:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-29 21:01 . 2010-03-29 21:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2004-08-10 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 . 5D567A625ECB5B4728130E4B31CA87EF . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2004-08-10 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

[7] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2help.dll
[-] 2008-04-14 . 6388CB57165A1496B75333BB7492CCA9 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
[-] 2004-08-10 . 9BEACB911CA61E5881102188AB7FB431 . 19968 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2help.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-29 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"TPSMain"="TPSMain.exe" [2005-08-03 266240]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"TFncKy"="TFncKy.exe" [BU]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 16860672]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-19 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-27 1165192]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-21 6112064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Andy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2010-2-21 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [29/05/2010 02:46 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [26/05/2010 18:03 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [26/05/2010 18:03 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [22/05/2010 19:16 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [25/05/2010 23:30 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [26/05/2010 18:03 116784]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [25/05/2010 23:28 126392]
R2 SAP DBTech-NSP;MAXDB: NSP;c:\sapdb\NSP\db\pgm\kernel.exe [19/10/2008 19:06 9203712]
R2 SAPNSP_00;SAPNSP_00;c:\sap\NSP\SYS\exe\run\sapstartsrv.exe [19/10/2008 19:43 4022272]
R2 XServer;XServer;c:\sapdb\programs\pgm\serv.exe [19/10/2008 19:06 614400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 20:54 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100617.005\IDSXpx86.sys [19/06/2010 19:28 331640]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [14/09/2006 12:10 7040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 23:03 135664]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [19/03/2010 22:14 423576]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1314704]
S3 SAP DBTech-.M770423 (slow);MAXDB: .M770423 (slow);c:\sapdb\NSP\db\pgm\slowknl.exe [19/10/2008 19:06 17477632]
S3 SAP DBTech-.M770423;MAXDB: .M770423;c:\sapdb\NSP\db\pgm\kernel.exe [19/10/2008 19:06 9203712]
S3 SAP DBTech-NSP (slow);MAXDB: NSP (slow);c:\sapdb\NSP\db\pgm\slowknl.exe [19/10/2008 19:06 17477632]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S3 TFBULK;Topfield USB client driver;c:\windows\system32\drivers\TfBulk.sys [26/08/2003 06:11 41996]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [31/03/2009 09:44 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 08:01 2799808]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 04:09 239336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/04/2007 17:53 682232]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 04:23 366936]
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:45]

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 22:03]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 22:03]

2010-06-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 17:02]

2010-06-22 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 17:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\15utlcw9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://192.168.2.1/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-InstallShield_{2C38F661-26B7-445D-B87D-B53FE2D3BD42} - c:\progra~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{4497AFF6-98C4-4F49-B073-F48F42BCBF9E} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-SAP DB (ALL) - c:\sapdb\programs\bin\SDBSETUP
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-tpgtvfguduiosmgc - c:\windows\system32\tpgtvfguduiosmgc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 01:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Andy\LOCALS~1\Temp\Perflib_Perfdata_11dc.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3903979473-2110481818-349968063-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4648)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\ehome\mcrdsvc.exe
c:\sapdb\NSP\db\pgm\dbmsrv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\AGRSMMSG.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\windows\RTHDCPL.EXE
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-22 01:36:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 00:36

Pre-Run: 3,154,837,504 bytes free
Post-Run: 4,432,252,928 bytes free

- - End Of File - - 300802465BB26A4C5D9E61C05A1DB565


ComboFix 10-06-21.01 - Andy 22/06/2010 1:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1151 [GMT 1:00]
Running from: c:\documents and settings\Andy\Desktop\software\bleeping computer instructs\thcbytes.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-19 18:48 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-31 20:41 . 2010-05-31 20:41 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\PCHealth
2010-05-31 13:22 . 2010-05-31 13:26 -------- dc-h--w- c:\windows\ie8
2010-05-29 16:46 . 2010-05-29 16:46 -------- d-----w- c:\documents and settings\Andy\Application Data\SUPERAntiSpyware.com
2010-05-29 16:46 . 2010-05-29 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-29 16:46 . 2010-05-29 16:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 15:10 . 2010-05-29 15:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-29 14:38 . 2010-06-22 00:24 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-29 14:37 . 2010-05-29 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-29 14:37 . 2010-05-29 14:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes
2010-05-29 11:46 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-29 11:46 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 03:41 . 2010-05-29 01:45 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-29 03:21 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-29 03:15 . 2010-05-29 03:17 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-29 01:46 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-29 01:46 . 2010-05-29 01:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-29 01:41 . 2010-05-29 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-29 01:39 . 2010-05-29 01:39 -------- d-----w- c:\program files\Trend Micro
2010-05-29 01:03 . 2010-05-29 01:40 -------- d-----w- c:\program files\Lavasoft
2010-05-29 01:03 . 2010-05-29 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-28 23:42 . 2010-05-29 15:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 23:40 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-05-28 23:40 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-05-28 23:40 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-05-28 23:40 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-05-28 23:40 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-05-28 23:40 . 2010-05-28 23:40 -------- d-----w- c:\program files\Trojan Remover
2010-05-28 23:40 . 2010-05-28 23:40 -------- d-----w- c:\documents and settings\Andy\Application Data\Simply Super Software
2010-05-28 23:40 . 2010-05-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-05-28 20:31 . 2010-05-28 23:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 20:31 . 2010-05-28 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 01:02 . 2007-10-27 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-06-20 19:55 . 2010-02-21 21:37 -------- d-----w- c:\program files\FinePixViewer
2010-06-06 13:39 . 2009-11-12 00:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 12:38 . 2009-06-20 20:20 -------- d-----w- c:\program files\Bonjour
2010-05-29 14:31 . 2006-12-09 20:48 -------- d-----w- c:\program files\Google
2010-05-26 23:07 . 2010-05-07 01:03 1190892 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3903979473-2110481818-349968063-1005-0.dat
2010-05-26 23:07 . 2010-05-07 01:03 213046 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-05-23 20:21 . 2010-05-06 19:00 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-05-22 20:30 . 2010-05-22 20:30 -------- d-----w- c:\documents and settings\Andy\Application Data\Microsoft Corporation
2010-05-06 19:45 . 2007-08-25 16:58 -------- d-----w- c:\program files\Microsoft SDKs
2010-05-06 19:10 . 2010-05-06 19:10 -------- d-----w- c:\program files\IIS
2010-05-06 19:05 . 2006-12-02 17:19 55056 ----a-w- c:\documents and settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 19:00 . 2010-05-06 19:00 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-05-06 10:41 . 2006-09-13 12:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 23:27 . 2006-09-13 13:59 88795 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-05 21:58 . 2006-12-02 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-05 21:45 . 2007-08-25 16:58 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-05-02 05:22 . 2006-09-13 12:42 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 20:08 . 2010-04-26 20:08 -------- d-----w- c:\program files\Open XML SDK
2010-04-20 05:30 . 2006-09-13 12:41 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-29 21:01 . 2010-03-29 21:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-29 21:01 . 2010-03-29 21:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2004-08-10 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[7] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2help.dll
[-] 2008-04-14 . 6388CB57165A1496B75333BB7492CCA9 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
[-] 2004-08-10 . 9BEACB911CA61E5881102188AB7FB431 . 19968 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2help.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-29 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"TPSMain"="TPSMain.exe" [2005-08-03 266240]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"TFncKy"="TFncKy.exe" [BU]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 16860672]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-19 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-27 1165192]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-21 6112064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Andy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2010-2-21 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [29/05/2010 02:46 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [26/05/2010 18:03 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [26/05/2010 18:03 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [22/05/2010 19:16 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [25/05/2010 23:30 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [26/05/2010 18:03 116784]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [25/05/2010 23:28 126392]
R2 SAP DBTech-NSP;MAXDB: NSP;c:\sapdb\NSP\db\pgm\kernel.exe [19/10/2008 19:06 9203712]
R2 SAPNSP_00;SAPNSP_00;c:\sap\NSP\SYS\exe\run\sapstartsrv.exe [19/10/2008 19:43 4022272]
R2 XServer;XServer;c:\sapdb\programs\pgm\serv.exe [19/10/2008 19:06 614400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 20:54 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100617.005\IDSXpx86.sys [19/06/2010 19:28 331640]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [14/09/2006 12:10 7040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 23:03 135664]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [19/03/2010 22:14 423576]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1314704]
S3 SAP DBTech-.M770423 (slow);MAXDB: .M770423 (slow);c:\sapdb\NSP\db\pgm\slowknl.exe [19/10/2008 19:06 17477632]
S3 SAP DBTech-.M770423;MAXDB: .M770423;c:\sapdb\NSP\db\pgm\kernel.exe [19/10/2008 19:06 9203712]
S3 SAP DBTech-NSP (slow);MAXDB: NSP (slow);c:\sapdb\NSP\db\pgm\slowknl.exe [19/10/2008 19:06 17477632]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S3 TFBULK;Topfield USB client driver;c:\windows\system32\drivers\TfBulk.sys [26/08/2003 06:11 41996]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [31/03/2009 09:44 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 08:01 2799808]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 04:09 239336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/04/2007 17:53 682232]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 04:23 366936]
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:45]

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 22:03]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 22:03]

2010-06-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 17:02]

2010-06-22 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 17:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\15utlcw9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://192.168.2.1/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 01:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3903979473-2110481818-349968063-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4140)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\ehome\mcrdsvc.exe
c:\sapdb\NSP\db\pgm\dbmsrv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\AGRSMMSG.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-22 02:14:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 01:14
ComboFix2.txt 2010-06-22 00:36

Pre-Run: 4,436,971,520 bytes free
Post-Run: 4,399,988,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 8575B8CCF300F06ED43B072B47AB9BFB

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 Andy77

Andy77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 24 June 2010 - 03:30 PM

Ah ok I didn't realise my computer was still infected.

Will follow your next instructions and paste any further logs that are required.

Thanks,
Andy.

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 24 June 2010 - 04:58 PM

Let's continue....

I will alert you when you are clean and when we are done! thumbup2.gif

==========

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Microsoft Security Essentials or Norton.

==========

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any more malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


--------------------------------------------------------------------
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.



  • Drag the setup package onto "thcbytes.exe" and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'No' to run the full ComboFix scan.

==========

Next............


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

QUOTE
FCopy::
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\$NtServicePackUninstall$\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\$NtUninstallKB925902$\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\$NtUninstallKB890859$\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
c:\windows\ServicePackFiles\i386\ws2help.dll | c:\windows\system32\ws2help.dll
c:\windows\ServicePackFiles\i386\ws2help.dll | c:\windows\$NtServicePackUninstall$\ws2help.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


==========

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

With your next post please provide:

* Remember to copy and paste the logs please
* Combofix.txt
* MBAM log
* ESET log
* Any further troubles

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 Andy77

Andy77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 28 June 2010 - 03:12 PM

Hi,

I've removed Microsoft Security Essentials as instructed and run the ComboFix, MBAM and ESET scans. I have the Recovery Console installed aswell.

Here are the results.

Thanks for your continued assistance.

ComboFix.txt ============================================

ComboFix 10-06-21.01 - Andy 27/06/2010 21:12:12.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1320 [GMT 1:00]
Running from: c:\documents and settings\Andy\Desktop\software\bleeping computer instructs\latest logs 3\thcbytes.exe
Command switches used :: c:\documents and settings\Andy\Desktop\software\bleeping computer instructs\latest logs 3\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$NtServicePackUninstall$\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$NtUninstallKB925902$\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$NtUninstallKB890859$\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
c:\windows\ServicePackFiles\i386\ws2help.dll --> c:\windows\system32\ws2help.dll
c:\windows\ServicePackFiles\i386\ws2help.dll --> c:\windows\$NtServicePackUninstall$\ws2help.dll
.
((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
.

2010-06-27 19:19 . 2010-06-27 19:19 -------- d-----w- C:\sasuninst.files
2010-06-22 20:49 . 2010-06-22 20:49 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb29.tmp.exe
2010-06-19 18:48 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-31 20:41 . 2010-05-31 20:41 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\PCHealth
2010-05-31 13:22 . 2010-05-31 13:26 -------- dc-h--w- c:\windows\ie8
2010-05-29 15:10 . 2010-05-29 15:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-29 14:38 . 2010-06-24 19:56 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-29 14:37 . 2010-05-29 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-29 14:37 . 2010-05-29 14:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes
2010-05-29 11:46 . 2010-05-29 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-29 03:41 . 2010-05-29 01:45 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-29 03:21 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-29 01:46 . 2010-06-22 01:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-29 01:46 . 2010-05-29 01:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-29 01:41 . 2010-05-29 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-29 01:41 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-29 01:39 . 2010-05-29 01:39 -------- d-----w- c:\program files\Trend Micro
2010-05-29 01:03 . 2010-05-29 01:40 -------- d-----w- c:\program files\Lavasoft
2010-05-29 01:03 . 2010-05-29 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-28 23:42 . 2010-05-29 15:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 20:31 . 2010-05-28 23:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 20:31 . 2010-05-28 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 20:19 . 2007-10-27 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-06-20 19:55 . 2010-02-21 21:37 -------- d-----w- c:\program files\FinePixViewer
2010-06-06 13:39 . 2009-11-12 00:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 12:38 . 2009-06-20 20:20 -------- d-----w- c:\program files\Bonjour
2010-05-29 14:31 . 2006-12-09 20:48 -------- d-----w- c:\program files\Google
2010-05-26 23:07 . 2010-05-07 01:03 1190892 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3903979473-2110481818-349968063-1005-0.dat
2010-05-26 23:07 . 2010-05-07 01:03 213046 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-05-25 21:17 . 2010-05-25 21:17 503808 ----a-w- c:\documents and settings\Andy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2f4680e5-n\msvcp71.dll
2010-05-25 21:17 . 2010-05-25 21:17 499712 ----a-w- c:\documents and settings\Andy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2f4680e5-n\jmc.dll
2010-05-25 21:17 . 2010-05-25 21:17 348160 ----a-w- c:\documents and settings\Andy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2f4680e5-n\msvcr71.dll
2010-05-23 20:23 . 2010-05-23 20:23 188128 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2010-05-23 20:21 . 2010-05-06 19:00 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-05-22 20:30 . 2010-05-22 20:30 -------- d-----w- c:\documents and settings\Andy\Application Data\Microsoft Corporation
2010-05-06 19:49 . 2010-05-06 19:08 545696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2010-05-06 19:45 . 2007-08-25 16:58 -------- d-----w- c:\program files\Microsoft SDKs
2010-05-06 19:10 . 2010-05-06 19:10 -------- d-----w- c:\program files\IIS
2010-05-06 19:05 . 2006-12-02 17:19 55056 ----a-w- c:\documents and settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 19:00 . 2010-05-06 19:00 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-05-06 10:41 . 2006-09-13 12:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 23:27 . 2006-09-13 13:59 88795 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-05 21:58 . 2006-12-02 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-05 21:45 . 2007-08-25 16:58 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-05-02 05:22 . 2006-09-13 12:42 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-09-13 12:41 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-29 21:01 . 2010-03-29 21:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-29 21:01 . 2010-03-29 21:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.

((((((((((((((((((((((((((((( SnapShot@2010-06-27_19.42.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-09-13 12:42 . 2008-04-14 00:12 19968 c:\windows\system32\dllcache\ws2help.dll
+ 2010-05-05 23:09 . 2008-04-14 00:12 19968 c:\windows\$NtServicePackUninstall$\ws2help.dll
- 2010-05-05 23:09 . 2004-08-10 12:00 19968 c:\windows\$NtServicePackUninstall$\ws2help.dll
+ 2006-09-13 12:42 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\user32.dll
+ 2007-04-06 16:23 . 2008-04-14 00:12 578560 c:\windows\$NtUninstallKB925902$\user32.dll
+ 2006-09-13 14:17 . 2008-04-14 00:12 578560 c:\windows\$NtUninstallKB890859$\user32.dll
+ 2010-05-05 23:09 . 2008-04-14 00:12 578560 c:\windows\$NtServicePackUninstall$\user32.dll
+ 2007-03-08 15:48 . 2008-04-14 00:12 578560 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
+ 2006-09-13 14:17 . 2008-04-14 00:12 578560 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"TPSMain"="TPSMain.exe" [2005-08-03 266240]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"TFncKy"="TFncKy.exe" [BU]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 16860672]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-19 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Andy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2010-2-21 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [29/05/2010 02:46 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [26/05/2010 18:03 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [26/05/2010 18:03 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [24/06/2010 21:04 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [25/05/2010 23:30 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [26/05/2010 18:03 116784]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [25/05/2010 23:28 126392]
R2 SAP DBTech-NSP;MAXDB: NSP;c:\sapdb\NSP\db\pgm\kernel.exe [19/10/2008 19:06 9203712]
R2 SAPNSP_00;SAPNSP_00;c:\sap\NSP\SYS\exe\run\sapstartsrv.exe [19/10/2008 19:43 4022272]
R2 XServer;XServer;c:\sapdb\programs\pgm\serv.exe [19/10/2008 19:06 614400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 20:54 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100625.001\IDSXpx86.sys [27/06/2010 20:09 331640]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [14/09/2006 12:10 7040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 23:03 135664]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [19/03/2010 22:14 423576]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
S3 SAP DBTech-.M770423 (slow);MAXDB: .M770423 (slow);c:\sapdb\NSP\db\pgm\slowknl.exe [19/10/2008 19:06 17477632]
S3 SAP DBTech-.M770423;MAXDB: .M770423;c:\sapdb\NSP\db\pgm\kernel.exe [19/10/2008 19:06 9203712]
S3 SAP DBTech-NSP (slow);MAXDB: NSP (slow);c:\sapdb\NSP\db\pgm\slowknl.exe [19/10/2008 19:06 17477632]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S3 TFBULK;Topfield USB client driver;c:\windows\system32\drivers\TfBulk.sys [26/08/2003 06:11 41996]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [31/03/2009 09:44 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 08:01 2799808]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 04:09 239336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/04/2007 17:53 682232]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 04:23 366936]
.
Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:47]

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 22:03]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 22:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\15utlcw9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://192.168.2.1/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 21:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3903979473-2110481818-349968063-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6072)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-06-27 21:24:43
ComboFix-quarantined-files.txt 2010-06-27 20:24
ComboFix2.txt 2010-06-27 19:47
ComboFix3.txt 2010-06-22 01:14
ComboFix4.txt 2010-06-22 00:36

Pre-Run: 4,212,682,752 bytes free
Post-Run: 4,173,365,248 bytes free

- - End Of File - - 1905FBE62E598801B67813E53C3885A3

MBAM Log =======================================================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4247

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/06/2010 22:16:51
mbam-log-2010-06-27 (22-16-51).txt

Scan type: Quick scan
Objects scanned: 156061
Time elapsed: 20 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET Scan Log ======================================================

C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\6.0\1\5382c0c1-241d6854 a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-15267c6c Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantined
C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-16123de4 Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantined
C:\Documents and Settings\Andy\Application Data\Sun\Java\Deployment\cache\6.0\54\7f532976-12bbd266 a variant of Java/TrojanDownloader.Agent.NBA trojan deleted - quarantined
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP5\A0005444.exe Win32/Adware.Lifze.J application deleted - quarantined
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP5\A0005607.exe Win32/Adware.Lifze.J application deleted - quarantined

===============================================================

Thanks again,
Andy.

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 28 June 2010 - 03:20 PM

Excellent. thumbup2.gif

Much better...

Re-run MBAM and ESET. Post the logs.

Let's make sure they return clean.

What problems remain?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users