Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo search results being redirected


  • This topic is locked This topic is locked
21 replies to this topic

#1 kiches

kiches

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 14 June 2010 - 09:38 PM

Recently I was infected by AV Security Suite, running Malwarebytes seemed to get rid of it but I noticed that whenever I click on search results through Yahoo or Google on both Firefox or Internet Explorer that I get redirected to random sites. I updated Malwarebytes again and performed a full scan recently with 2 results, but the problem persists. I tried to run GMER but part way into the scan my screen goes completely black (no cursor or mouse) and I have to physically turn off the computer so I ran GMER in safe mode.

DDS Log
--------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Monica at 17:49:21.52 on Mon 06/14/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.68 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Monica\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Shell=Explorer.exe c:\windows\system32\Deleteme.vbs
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\monica\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [dpuksuyhykakjj] c:\documents and settings\monica\local settings\application data\whwgrhlc\ucxrvr.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [TFncKy] TFncKy.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [WD Spindown Utility] "c:\program files\western digital technologies\spindown\ExSpinDn.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
mRun: [P2Go_Menu] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dpuksuyhykakjj] c:\documents and settings\monica\local settings\application data\whwgrhlc\ucxrvr.exe
StartupFolder: c:\docume~1\monica\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download ALL with IDA
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: Download with IDA
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {051A2EEA-9508-42E1-AD4A-40687CCCD4F2} = 192.168.1.1
TCP: {E5D6CC71-EB8C-4D61-A6E1-3346C3B4F135} = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\monica\applic~1\mozilla\firefox\profiles\bxv318cw.default user\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - plugin: c:\documents and settings\monica\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\monica\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\monica\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\monica\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-1 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-1 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-1 242896]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2009-12-12 15784]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;c:\program files\abbyy finereader 9.0\NetworkLicenseServer.exe [2009-3-2 566560]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-6-11 67584]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2009-12-12 162344]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-25 135664]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2009-2-22 91841]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]

=============== Created Last 30 ================

2010-06-15 00:46:12 0 ----a-w- c:\documents and settings\monica\defogger_reenable
2010-06-14 19:09:46 0 d-----w- c:\program files\Runtime Software
2010-06-12 03:19:40 0 d-----w- c:\program files\Cobian Backup 8
2010-06-12 00:05:23 0 d-----w- c:\program files\Cobian Backup 10
2010-06-11 01:56:17 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-09 08:09:53 12872 ------w- c:\windows\system32\bootdelete.exe
2010-06-09 07:43:24 15944 ------w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-09 07:41:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-30 05:51:40 0 d-----w- c:\program files\DVDFab 7

==================== Find3M ====================

2010-06-02 18:03:44 242896 ------w- c:\windows\system32\drivers\avgtdix.sys
2010-05-30 05:53:10 87608 ------w- c:\docume~1\monica\applic~1\inst.exe
2010-05-30 05:53:09 47360 ------w- c:\windows\system32\drivers\pcouffin.sys
2010-05-30 05:53:09 47360 ------w- c:\docume~1\monica\applic~1\pcouffin.sys
2010-04-29 22:39:38 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ------w- c:\windows\system32\drivers\mbam.sys
2010-04-16 08:23:49 18816 ------w- c:\windows\system32\drivers\dvd43llh.sys
2010-04-08 20:20:02 91424 ------w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ------w- c:\windows\system32\dns-sd.exe
2008-02-05 18:50:39 159616 ------w- c:\program files\MF
2003-08-05 19:41:44 53248 ------w- c:\windows\inf\ap561.exe
2002-11-27 00:24:58 32768 ------w- c:\windows\inf\Remove561.exe
2002-11-22 23:56:52 118784 ------w- c:\windows\inf\ShowBmp.exe
2002-10-30 02:07:44 36864 ------w- c:\windows\inf\Setup8a.exe
2002-10-01 22:43:32 119798 ------w- c:\windows\inf\spca561.sys
2008-02-26 07:13:23 217073 --sh--r- c:\windows\meta4.exe
2005-07-14 20:31:20 27648 --sh--r- c:\windows\system32\AVSredirect.dll
2005-06-26 23:32:28 616448 --sh--r- c:\windows\system32\cygwin1.dll
2005-06-22 06:37:42 45568 --sh--r- c:\windows\system32\cygz.dll
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 08:00:00 70656 --sh--r- c:\windows\system32\i420vfw.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
2008-02-04 19:26:34 151040 --sh--w- c:\windows\system32\VistaUltm.dll
2005-02-28 21:16:22 240128 --sh--r- c:\windows\system32\x.264.exe
2008-09-04 22:23:00 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 17:52:09.19 ===============


ETA: uploaded log from GMER

Attached Files


Edited by kiches, 15 June 2010 - 07:07 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:21 AM

Posted 17 June 2010 - 01:25 PM

Hi kiches,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 kiches

kiches
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 17 June 2010 - 06:39 PM

farbar,

Thanks for the help. I won't install or make changes from today on.

Thanks.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:21 AM

Posted 17 June 2010 - 06:50 PM

Please update me on the current condition of your computer. No need to post any log.

#5 kiches

kiches
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 17 June 2010 - 10:51 PM

Well the problem still persists. Any search result links from google or yahoo that I click gets redirected for both firefox and internet explorer.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:21 AM

Posted 18 June 2010 - 05:47 AM

  1. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Close all the open windows.
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      dmio
    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Tell me if the issue is fixed.


#7 kiches

kiches
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 18 June 2010 - 11:16 PM

The issue has been fixed. My computer did reboot and ran to completion. Is there anything else I need to do?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:21 AM

Posted 19 June 2010 - 01:58 AM

Great. thumbup2.gif

We still need some work to do.

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#9 kiches

kiches
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 20 June 2010 - 12:14 AM

Nothing turned up in the Malwarebytes scan. Here's the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4217

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/19/2010 10:13:01 PM
mbam-log-2010-06-19 (22-13-01).txt

Scan type: Quick scan
Objects scanned: 194307
Time elapsed: 53 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:21 AM

Posted 20 June 2010 - 10:17 AM

  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any version remaining versions if the tool could not uninstall them.

  2. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#11 kiches

kiches
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 20 June 2010 - 07:49 PM

I've used JavaRa to update JRE and uninstalled old versions. I've attached the new DDS.txt file.

Attached Files

  • Attached File  DDS.txt   20.43KB   6 downloads


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:21 AM

Posted 20 June 2010 - 07:56 PM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#13 kiches

kiches
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 20 June 2010 - 11:07 PM

When I turned on my computer today there was an icon in my tray telling me there was a windows update available. I thought that if I didn't click the tray the update wouldn't install, but I didn't know that it was set to automatically update. I left my computer alone for about an hour and when I got back I think my computer was in the middle of shutting itself down. I think a Windows update may have been installed but I'm not sure since I manually turned off the power before it finished shutting down, and upon restarting the icon reappeared in my icon tray. Has this screwed up the malware removal process? I haven't run combofix yet since this happened before I read the message.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:21 AM

Posted 21 June 2010 - 01:09 AM

I hope it has not effected the computer. You may disable Windows update for now. If it has installed any update you should allow it to reboot to complete the operation otherwise you might get an unbootable and difficult to restore computer. I advise you not to shut down the power manually unless the computer has hang up and there is no other option.

Please start the computer, disable the Windows update and reboot. Then proceed with the ComboFix. Since we have taken care of the rootkit the updating should not create any problem but we don't want the update to be done in the middle of ComfoFix run.

Turn off Windows automatic updates as it might lead to unexpected results at this stage:
  • Go to start -> Control Panel -> double-click System to open it.
  • Go to the Automatic Updates tab.
  • Select the "Turn off Automatic Updates" box.
  • Click Apply and then OK.
  • Important: Reboot.


#15 kiches

kiches
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 21 June 2010 - 02:55 AM

Here's the combofix log:

ComboFix 10-06-20.03 - Monica 06/21/2010 0:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.270 [GMT -7:00]
Running from: c:\documents and settings\Monica\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Deleteme.bat
c:\documents and settings\Monica\Application Data\AD ON Multimedia
c:\documents and settings\Monica\Application Data\inst.exe
c:\windows\system32\Deleteme.bat
c:\windows\system32\mswinup.exe
c:\windows\system32\winsvcup.exe
c:\windows\system32\winupsvc.exe
H:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-21 00:38 . 2010-06-21 00:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 04:04 . 2010-06-19 04:05 -------- d-----w- C:\vir
2010-06-19 04:00 . 2010-06-19 04:00 1472 ----a-w- C:\dmio.reg
2010-06-19 04:00 . 2010-06-19 04:00 -------- d-----w- C:\backup
2010-06-19 04:00 . 2008-04-13 18:44 153344 ----a-w- c:\windows\system32\drivers\tmpdmio.sys
2010-06-14 19:09 . 2010-06-14 19:09 -------- d-----w- c:\program files\Runtime Software
2010-06-12 03:19 . 2010-06-12 03:50 -------- d-----w- c:\program files\Cobian Backup 8
2010-06-12 00:08 . 2010-06-12 00:08 -------- d-----w- c:\documents and settings\Monica\Local Settings\Application Data\Safe mirror
2010-06-12 00:05 . 2010-06-12 03:55 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-11 01:56 . 2010-06-11 01:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-09 19:41 . 2010-06-09 19:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-09 08:09 . 2010-06-09 08:09 12872 ------w- c:\windows\system32\bootdelete.exe
2010-06-09 07:43 . 2010-06-10 21:13 15944 ------w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-09 07:41 . 2010-06-11 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-30 05:51 . 2010-05-30 05:52 -------- d-----w- c:\program files\DVDFab 7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 07:04 . 2008-03-21 23:04 -------- d-----w- c:\documents and settings\Monica\Application Data\uTorrent
2010-06-21 04:51 . 2010-03-14 07:50 0 ----a-w- c:\documents and settings\Monica\Local Settings\Application Data\prvlcl.dat
2010-06-21 00:37 . 2010-06-21 00:37 0 ----a-w- c:\windows\system32\REN73.tmp
2010-06-21 00:37 . 2010-06-21 00:37 0 ----a-w- c:\windows\system32\REN72.tmp
2010-06-21 00:37 . 2010-06-21 00:37 0 ----a-w- c:\windows\system32\REN71.tmp
2010-06-21 00:21 . 2006-07-20 01:52 -------- d-----w- c:\program files\Java
2010-06-19 06:11 . 2007-09-30 03:38 -------- d-----w- c:\documents and settings\Monica\Application Data\Orbit
2010-06-17 07:02 . 2009-11-18 05:30 -------- d-----w- c:\documents and settings\Monica\Application Data\Skype
2010-06-17 07:00 . 2009-11-18 05:35 -------- d-----w- c:\documents and settings\Monica\Application Data\skypePM
2010-06-16 21:20 . 2008-01-16 01:47 -------- d-----w- c:\program files\iTunes
2010-06-16 21:18 . 2007-08-13 05:09 -------- d-----w- c:\program files\iPod
2010-06-16 21:18 . 2007-07-15 05:18 -------- d-----w- c:\program files\Common Files\Apple
2010-06-16 20:58 . 2008-07-15 20:02 -------- d-----w- c:\program files\Bonjour
2010-06-09 19:41 . 2006-07-20 02:50 664 ------w- c:\windows\system32\d3d9caps.dat
2010-06-08 22:34 . 2009-09-12 09:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 02:31 . 2006-10-07 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-06-07 07:08 . 2006-12-04 00:40 -------- d-----w- c:\documents and settings\Monica\Application Data\dvdcss
2010-06-07 04:07 . 2007-05-06 09:32 -------- d-----w- c:\program files\QuickTime Alternative
2010-06-02 18:03 . 2009-02-01 07:32 242896 ------w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 18:03 . 2009-02-01 07:32 29584 ------w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-30 23:19 . 2007-08-03 21:07 -------- d-----w- c:\documents and settings\Monica\Application Data\Free Download Manager
2010-05-30 07:48 . 2006-12-20 04:00 -------- d-----w- c:\documents and settings\Monica\Application Data\RipIt4Me
2010-05-30 05:53 . 2006-12-20 03:55 -------- d-----w- c:\documents and settings\Monica\Application Data\Vso
2010-05-30 05:53 . 2009-08-07 03:52 47360 ------w- c:\windows\system32\drivers\pcouffin.sys
2010-05-30 05:53 . 2009-08-07 03:52 47360 ------w- c:\documents and settings\Monica\Application Data\pcouffin.sys
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-17 00:37 . 2008-03-21 23:04 -------- d-----w- c:\program files\uTorrent
2010-05-10 23:56 . 2010-05-10 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-10 23:55 . 2010-05-10 23:55 -------- d-----w- c:\program files\AIM
2010-05-10 23:55 . 2010-05-10 23:55 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-10 23:55 . 2006-07-20 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-05-10 23:54 . 2006-10-22 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-05-04 17:20 . 2006-07-19 00:48 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-07-19 00:47 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-07-19 00:46 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-07-19 00:48 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-09-12 09:06 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-09-12 09:06 20952 ------w- c:\windows\system32\drivers\mbam.sys
2010-04-22 21:48 . 2006-11-07 07:39 -------- d-----w- c:\documents and settings\Monica\Application Data\Apple Computer
2010-04-20 05:30 . 2006-07-19 00:46 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 08:23 . 2010-04-16 08:23 18816 ------w- c:\windows\system32\drivers\dvd43llh.sys
2008-02-05 18:50 . 2008-02-05 18:50 159616 ------w- c:\program files\MF
2008-02-26 07:13 . 2005-05-14 01:12 217073 --sh--r- c:\windows\meta4.exe
2008-01-05 03:10 . 2008-01-05 03:06 24 --sh--w- c:\windows\S1E3AFFB3.tmp
2005-07-14 20:31 . 2005-07-14 20:31 27648 --sh--r- c:\windows\system32\AVSredirect.dll
2005-06-26 23:32 . 2005-06-26 23:32 616448 --sh--r- c:\windows\system32\cygwin1.dll
2005-06-22 06:37 . 2005-06-22 06:37 45568 --sh--r- c:\windows\system32\cygz.dll
2006-05-03 10:06 . 2008-02-26 07:12 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 08:00 . 2004-01-25 08:00 70656 --sh--r- c:\windows\system32\i420vfw.dll
2007-02-21 11:47 . 2008-02-26 07:12 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 . 2008-02-26 07:13 27648 --sh--w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 . 2008-02-26 07:13 151040 --sh--w- c:\windows\system32\VistaUltm.dll
2005-02-28 21:16 . 2005-02-28 21:16 240128 --sh--r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-26 68856]
"Google Update"="c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-19 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-02 364544]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"NDSTray.exe"="NDSTray.exe" [BU]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 16050688]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"TFncKy"="TFncKy.exe" [BU]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-03 700416]
"WD Spindown Utility"="c:\program files\Western Digital Technologies\Spindown\ExSpinDn.exe" [2004-08-09 278528]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
"P2Go_Menu"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Monica\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-1-7 575488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 07:31 12464 ------w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Monica^Start Menu^Programs^Startup^Picaboo.lnk]
path=c:\documents and settings\Monica\Start Menu\Programs\Startup\Picaboo.lnk
backup=c:\windows\pss\Picaboo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-07-19 03:52 104936 ------w- c:\program files\CyberLink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2009-10-24 02:34 827904 ------w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ------w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-06-09 07:32 5937984 ------w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantBurn]
2007-10-26 18:55 681256 ------w- c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 ------w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2005-12-16 09:41 188416 ------w- c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 22:39 1090952 ------w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ------w- c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-07-26 23:08 68856 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Monica\\My Documents\\sysreset\\mirc.exe"=
"c:\\Documents and Settings\\Monica\\My Documents\\MySpaceMp3Gopher.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Monica\\My Documents\\MathCast088\\MathCast.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38782:TCP"= 38782:TCP:Utor1
"13004:UDP"= 13004:UDP:utorrent port

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/1/2009 12:32 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/1/2009 12:32 AM 242896]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [12/12/2009 6:47 PM 15784]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [3/2/2009 3:04 PM 566560]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 12:30 AM 308064]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [6/11/2010 8:54 PM 67584]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [12/12/2009 6:47 PM 162344]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 11:50 AM 98816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/7/2007 9:05 PM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 3:39 PM 135664]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2/22/2009 9:58 PM 91841]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 22:39]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 22:39]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-27845008-3965275041-992761460-1006Core.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-19 06:00]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-27845008-3965275041-992761460-1006UA.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-19 06:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download ALL with IDA
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Download with IDA
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
TCP: {051A2EEA-9508-42E1-AD4A-40687CCCD4F2} = 192.168.1.1
TCP: {E5D6CC71-EB8C-4D61-A6E1-3346C3B4F135} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\bxv318cw.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - plugin: c:\documents and settings\Monica\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dpuksuyhykakjj - c:\documents and settings\monica\local settings\application data\whwgrhlc\ucxrvr.exe
HKLM-Run-dpuksuyhykakjj - c:\documents and settings\monica\local settings\application data\whwgrhlc\ucxrvr.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-AOL Fast Start - c:\program files\America Online 9.0\AOL.EXE
MSConfigStartUp-Internet Download Accelerator - c:\program files\IDA\ida.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
AddRemove-MakeTorrent 2 - c:\program files\Maketorrent 2\uninstall.exe
AddRemove-SUPER - c:\progra~1\ERIGHT~1\SUPER\Setup.exe
AddRemove-WinAVIVideoConverter_is1 - c:\program files\WinAVIVideoConverter\unins000.exe
AddRemove-YAMB - c:\program files\YAMB\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 00:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-27845008-3965275041-992761460-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6957492B-3378-C5B5-0F2E-CBD16EDFAA84}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(568)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\windows\RTHDCPL.EXE
c:\windows\AGRSMMSG.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\TPSBattM.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\RunDLL32.exe
c:\windows\ehome\mcrdsvc.exe
c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-21 00:51:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-21 07:51

Pre-Run: 16,246,333,440 bytes free
Post-Run: 27,592,663,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 31D8D0759F296681DE50C8E854A20276





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users