Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engines are redirecting me


  • This topic is locked This topic is locked
24 replies to this topic

#1 Aussie_Paul

Aussie_Paul

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 24 June 2010 - 07:33 PM

Hi. I have noticed recently that when I click on a link in my search engine of choice (Google),most times, instead of being taken to the site I expect to be taken to, I am instead being taken to a different non related site.
As an example if I do a Google search for "Rope splicing Guide" (without the inverted commas). The top listing is to the site "www.samsonrope.com/index.cfm?page=28"
If I click on that listing the new page loads initially with this URL
"http://vistanumbers.com/x2s/click?ou=http%3A%2F%2F85.17.76.175%2Fppc%2Fclick.php%3Ft%3D1277424725_53%26ip%3D220.253.92.233%26a%3D3025%26clk%3Dhttp%253A%252F%252F208.94.233.40%252Fgo.php%253Fdata%253DG0eYZ73%25252FRAckMtBOEFtzYR%25252FE8CO%25252F1P7Ak9ieUPXlIyBLhhZELyKrfa%25252F8kutHnww6YzgLtf3S%25252FpcZeHA7ZkaQRDJulrbXFyguAgzxlxTMcIriK1iYcJAOouWDKJYMfhjA3pULeJ39VfypxdY0d%25252F42dctDMnTgacJ8A0FaE1P%25252B4kXYzR39BKfGaMjjLL%25252BJq7EtAenVaJz%25252BXcUXVu47MeijHCAI7yszR8N01Nsk4PNY3HE%25252Fa5UlvyhxKSSBGNhl1F%25252FywFHs8rDhT3ij7%25252BlQFmGr8Zc0Bf8zW6Fpi8Eky4U1EAuR1gYuHlkyuIFvcCyjDHrffdyRsB7wRl4l3A%25252Fjm8Xy%25252BCYwTtMXg8ykiKILcHWloPu8YXk8nMJUz%25252B%25252Fcc4vA%25252BZl3oYI39k434hpwMOm6gwZHwD8O4MjoYGEiy2vgQbKBNLQPU28Ky%25252BbYhNHNkLCRO9Ed44oaxN0B7HRrO3HvMdl52OmvuAAd55gBTLfZl8hpaI%25252F9zxCNjnDfKPdJC0A2eYxY5oU5LaHVCn2h%25252F%25252BZrlwYNe1oxteuwSrIzNY9Gqd5n9VS4lq9BwsfliJgMBDAK2JEvqkAKm3zFwHdhL4WieDXkOI%25252FreJJjqasRSKyNoXbulmicAoQ3nge%25252B%25252Bb%25252FQrMTBlOZdwqteIe2N98RLmITFxLx2Q8jK8HtFAMPs5mVutqV5wzT5KE4F0Z96ZHdi6XTzZkYm9rf0u7VkxHqp6BWua5g7t4O%25252Frb6HNIMSu%25252FzyxqxbMYhSKuM7AqMet5nk5FB1hUtlyOR9khU9g8rSOKHAhH1ykHStS4eJDsj0"

After some seconds another redirect occurs that ends up delivering me to this page
"http://www.wisdomtips.com/?xcmpx=1085"

I can manually load the Samson rope page so I know that it is not being redirected due to that page not being available.

I normally use Firefox as my browser but I have tested this in IE 7 and it is doing the same thing.
I have tried to use yahoo.com.au search engine and the results are still the same.
Wit all of these search engines the redirect does not occur every time, but it happens often. I have included my DDS logs as recommended in the welcome text.

I have Pasted the DDs scan log and attached the Ark.txt and Attach.txt files as per the Preparation Guide.

Thanks for your assistance with this.
Kind Regards,
Paul.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Paul at 18:18:14.99 on Thu 24/06/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.375 [GMT 10:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
F:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
F:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\108Mbps Wireless Network USB Dongle\WLANPRO.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe
F:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
F:\Program Files\java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
F:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - f:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - f:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - f:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] f:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] g:\program files\sas\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SuperCopier2.exe] f:\program files\supercopier2\SuperCopier2.exe
uRun: [Free Download Manager] f:\program files\free download manager\fdm.exe -autorun
uRun: [Google Update] "c:\documents and settings\paul\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Acrobat Assistant 8.0] "f:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF3 Registry Controller] "f:\program files\scansoft\omnipage15.0\pdfconverter3\\RegistryController.exe"
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless G DWA-110] f:\program files\d-link\d-link wireless g dwa-110\AirGCFG.exe
mRun: [GrooveMonitor] "f:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] f:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Corel File Shell Monitor] f:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\paul\startm~1\programs\startup\mailwa~1.lnk - f:\program files\firetrust\mailwasher pro\MailWasher.exe
StartupFolder: c:\docume~1\paul\startm~1\programs\startup\onenot~1.lnk - f:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\108mbp~1.lnk - c:\program files\108mbps wireless network usb dongle\WLANPRO.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\heavyw~1.lnk - f:\heavyweather\heavy weather.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - f:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\reg.lnk - c:\program files\108mbps wireless network usb dongle\Reg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\starto~1.lnk - f:\program files\opdicom\opditracker\OptT3STA.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
IE: &Clean Traces - g:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - g:\program files\dap\dapextie.htm
IE: Append to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - g:\program files\dap\dapextie2.htm
IE: Download all with Free Download Manager - file://f:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://f:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://f:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://f:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Open with Scansoft PDF Converter 3.0 - f:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: 5gigs.net\www
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236570906181
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {45F34056-2FA4-4110-B1A8-85BD050526FF} = 210.15.254.240,210.15.254.241
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - f:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - g:\program files\sas\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: w32spl.dll cfginfo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: CustomComposition - {a6827f27-d0cc-4e37-bbaa-892a93328d4a} - c:\program files\common files\custom\CustomComposition.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - g:\program files\sas\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\g92qmqts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?rls=ig
FF - component: f:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\paul\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\paul\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: f:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
f:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
f:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2009-3-22 40496]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2009-3-11 25000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-13 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-13 19024]
R2 avast! Antivirus;avast! Antivirus;f:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-3-23 10384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-4-26 2789160]
R3 avast! Mail Scanner;avast! Mail Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
R3 avast! Web Scanner;avast! Web Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
S1 SASDIFSV;SASDIFSV;\??\g:\program files\sas\sasdifsv.sys --> g:\program files\sas\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\g:\program files\sas\saskutil.sys --> g:\program files\sas\SASKUTIL.sys [?]
S2 gupdate1c9b10ee5ebf738;Google Update Service (gupdate1c9b10ee5ebf738);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 ATHFMWDL;Wireless predator Bootloader driver;c:\windows\system32\drivers\athfmwdl.sys [2009-3-9 43264]
S3 pbfilter;pbfilter;f:\program files\peerblock\pbfilter.sys [2009-11-10 14424]
S3 RSUSBCCID;Realtek Smartcard Reader Driver;c:\windows\system32\drivers\RtsUCcid.sys [2010-6-11 44032]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-6-11 189984]
S3 RtsUIr;Realtek IR Driver;c:\windows\system32\drivers\RtsUIr.sys [2010-6-11 17536]
S3 SASENUM;SASENUM;\??\g:\program files\sas\sasenum.sys --> g:\program files\sas\SASENUM.SYS [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-4-26 15656]

=============== Created Last 30 ================

2010-06-13 14:47:05 0 d-----w- c:\program files\common files\Custom
2010-06-13 13:54:25 438272 --sh--w- c:\windows\system32\w32spl.dll
2010-06-13 13:54:03 21504 --sh--w- c:\windows\system32\cfginfo.dll
2010-06-12 06:01:56 0 d-----w- c:\windows\XSxS
2010-06-12 06:01:56 0 d-----w- c:\program files\Xenocode
2010-06-11 09:15:20 313888 ----a-r- c:\windows\system32\RtsUStor.dll
2010-06-11 09:15:20 0 d-----w- c:\windows\system32\sda
2010-06-11 09:15:16 249856 ----a-r- c:\windows\system32\RtsUCcid.dll
2010-06-11 09:14:13 9112096 ------r- c:\windows\system32\RTSUSTORicon.dll
2010-06-11 09:13:52 44032 ------r- c:\windows\system32\drivers\RtsUCcid.sys
2010-06-11 09:13:52 189984 ------r- c:\windows\system32\drivers\RtsUStor.sys
2010-06-11 09:13:52 17536 ------r- c:\windows\system32\drivers\RtsUIr.sys
2010-06-11 09:13:48 0 d-----w- c:\program files\Realtek
2010-06-09 23:13:55 632832 ----a-w- c:\windows\notepad.exe
2010-06-09 23:13:55 23068 ----a-w- c:\windows\Notepad2.ini

==================== Find3M ====================

2010-05-20 00:05:47 2516 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-05-19 23:58:47 88 --sh--r- c:\docume~1\alluse~1\applic~1\DB14D8EA2B.sys
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 11:33:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-30 14:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 14:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe

============= FINISH: 18:19:27.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 30 June 2010 - 05:06 AM

Hi Aussie_Paul,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

Also please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

#3 Aussie_Paul

Aussie_Paul
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 03 July 2010 - 07:34 PM

Thanks for the offer of assistance Farbar. I have been at work and only just got home to check my emails.
I am going out right now but I have not resolved the problem and I would appreciate the assistance.
I will be home in a couple of hours and will post the logs that you requested then.
Thanks again Cheers,
Paul.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 04 July 2010 - 05:16 AM

thumbup2.gif

#5 Aussie_Paul

Aussie_Paul
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 04 July 2010 - 02:02 PM

Hi Farbar the redirects during the searching seems to have stopped I have tried several searches and there were no redirects at all.
I am now getting messages from Avast (my anti virus) advising me a threat has been detected. This ems to happen at random times the affected files are in some I don't recognise but also firefox exe and YahooMessenger.exe. The message says that the the threat was blocked before it could do anything and there is no further action required. It seems to just have a generic name for the threat "Win32 Gen Malware".
I'm not sure if it is related or not but I often get a blue screen when I shut the computer down saying there the computer was shut down to protect the computer due to an IRQL greater than or not less than equal error.
I also discovered today that I can no longer access my usb printer. It is not showing up in the list of printers and if I try to add a printer I get a message to say the printer spooler service is unavailable.
Thanks for your help with this.

I will not make any changes to the system while we are working through this

Regards Paul
Here is my latest DDs log. as requested.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Paul at 4:40:56.48 on Mon 05/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.261 [GMT 10:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
F:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
F:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SuperCopier2\SuperCopier2.exe
F:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\108Mbps Wireless Network USB Dongle\WLANPRO.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe
F:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
F:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
F:\Program Files\java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - f:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - f:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - f:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] f:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] g:\program files\sas\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SuperCopier2.exe] f:\program files\supercopier2\SuperCopier2.exe
uRun: [Free Download Manager] f:\program files\free download manager\fdm.exe -autorun
uRun: [Google Update] "c:\documents and settings\paul\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Acrobat Assistant 8.0] "f:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF3 Registry Controller] "f:\program files\scansoft\omnipage15.0\pdfconverter3\\RegistryController.exe"
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless G DWA-110] f:\program files\d-link\d-link wireless g dwa-110\AirGCFG.exe
mRun: [GrooveMonitor] "f:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] f:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Corel File Shell Monitor] f:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\paul\startm~1\programs\startup\mailwa~1.lnk - f:\program files\firetrust\mailwasher pro\MailWasher.exe
StartupFolder: c:\docume~1\paul\startm~1\programs\startup\onenot~1.lnk - f:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\108mbp~1.lnk - c:\program files\108mbps wireless network usb dongle\WLANPRO.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\heavyw~1.lnk - f:\heavyweather\heavy weather.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - f:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\reg.lnk - c:\program files\108mbps wireless network usb dongle\Reg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\starto~1.lnk - f:\program files\opdicom\opditracker\OptT3STA.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
IE: &Clean Traces - g:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - g:\program files\dap\dapextie.htm
IE: Append to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - g:\program files\dap\dapextie2.htm
IE: Download all with Free Download Manager - file://f:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://f:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://f:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://f:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Open with Scansoft PDF Converter 3.0 - f:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: 5gigs.net\www
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236570906181
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {45F34056-2FA4-4110-B1A8-85BD050526FF} = 210.15.254.240,210.15.254.241
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - f:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - g:\program files\sas\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: w32spl.dll cfginfo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: CustomComposition - {a6827f27-d0cc-4e37-bbaa-892a93328d4a} - c:\program files\common files\custom\CustomComposition.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - g:\program files\sas\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\g92qmqts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?rls=ig
FF - component: f:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\paul\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\paul\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: f:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
f:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
f:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
f:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
f:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2009-3-22 40496]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2009-3-11 25000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-13 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-13 19024]
R2 avast! Antivirus;avast! Antivirus;f:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-3-23 10384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-4-26 2789160]
R3 avast! Mail Scanner;avast! Mail Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
R3 avast! Web Scanner;avast! Web Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
S1 SASDIFSV;SASDIFSV;\??\g:\program files\sas\sasdifsv.sys --> g:\program files\sas\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\g:\program files\sas\saskutil.sys --> g:\program files\sas\SASKUTIL.sys [?]
S2 gupdate1c9b10ee5ebf738;Google Update Service (gupdate1c9b10ee5ebf738);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 ATHFMWDL;Wireless predator Bootloader driver;c:\windows\system32\drivers\athfmwdl.sys [2009-3-9 43264]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\90.tmp --> c:\windows\system32\90.tmp [?]
S3 pbfilter;pbfilter;f:\program files\peerblock\pbfilter.sys [2009-11-10 14424]
S3 RSUSBCCID;Realtek Smartcard Reader Driver;c:\windows\system32\drivers\RtsUCcid.sys [2010-6-11 44032]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-6-11 189984]
S3 RtsUIr;Realtek IR Driver;c:\windows\system32\drivers\RtsUIr.sys [2010-6-11 17536]
S3 SASENUM;SASENUM;\??\g:\program files\sas\sasenum.sys --> g:\program files\sas\SASENUM.SYS [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-4-26 15656]

=============== Created Last 30 ================

2010-07-02 06:31:52 0 d-----w- C:\Downloads
2010-07-02 05:12:13 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-02 05:09:56 0 d-----w- c:\documents and settings\paul\.limewire
2010-06-26 17:40:15 54156 ---ha-w- c:\windows\QTFont.qfn
2010-06-26 17:40:15 1409 ----a-w- c:\windows\QTFont.for
2010-06-13 14:47:05 0 d-----w- c:\program files\common files\Custom
2010-06-13 13:54:25 438272 ----a-w- c:\windows\system32\w32spl.dll
2010-06-13 13:54:03 21504 ----a-w- c:\windows\system32\cfginfo.dll
2010-06-12 06:01:56 0 d-----w- c:\windows\XSxS
2010-06-12 06:01:56 0 d-----w- c:\program files\Xenocode
2010-06-11 09:15:20 313888 ----a-r- c:\windows\system32\RtsUStor.dll
2010-06-11 09:15:20 0 d-----w- c:\windows\system32\sda
2010-06-11 09:15:16 249856 ----a-r- c:\windows\system32\RtsUCcid.dll
2010-06-11 09:14:13 9112096 ------r- c:\windows\system32\RTSUSTORicon.dll
2010-06-11 09:13:52 44032 ------r- c:\windows\system32\drivers\RtsUCcid.sys
2010-06-11 09:13:52 189984 ------r- c:\windows\system32\drivers\RtsUStor.sys
2010-06-11 09:13:52 17536 ------r- c:\windows\system32\drivers\RtsUIr.sys
2010-06-11 09:13:48 0 d-----w- c:\program files\Realtek
2010-06-09 23:13:55 632832 ----a-w- c:\windows\notepad.exe
2010-06-09 23:13:55 23068 ----a-w- c:\windows\Notepad2.ini

==================== Find3M ====================

2010-05-20 00:05:47 2516 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-05-19 23:58:47 88 --sh--r- c:\docume~1\alluse~1\applic~1\DB14D8EA2B.sys
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 11:33:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 4:41:36.64 ===============


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 04 July 2010 - 02:16 PM

Thanks for the update Paul.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. You need to disable your Avast Antivirus before running ComboFix.
    • Open Avast.
    • Under avast! settings... windows select Troubleshooting.
    • Check avast! self-defense module.
    • Click OK.

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 Aussie_Paul

Aussie_Paul
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 04 July 2010 - 10:34 PM

Hi farbar.... all done ...had a few problems, nothing I couldn't deal with but I should let you know what I did just so you are aware. I thought I had previously uninstalled spybot search and destroy as a part of the process of cleaning the computer. It seems it didn't completely get removed.

I couldn't get the program to run, when I tried it would just hang.
I ended up booting into safe mode and uninstalling it from there. It seems to be gone now. After this is finished I'll download it again and install it.
I downloaded and ran the file "ResetTeaTimer.exe" It came up with a message to say "Spybot and tea Timer must be closed. Press any key to continue..."
When I press a key it comes up with another message to say "Finished"

I hope that is confirming to me that it has done it's job (if necessary) and is finished.

I can't see any evidence that spybot is still running. I see there is a notation in the "Find3M Report" about spybot. When I uninstalled it there was a message to say that some elements could not be removed and they should be removed manually ... but it didn't tell me where they were so I didn't do anything about them. I'm guessing that notation in the report is related to that.

It looks like the interface for Avast has changed since the instructions were written to describe how to disable that program. The instructions did not fit with my version of Avast. I chose an option to "disable all shields permanently".
All of that aside, Combofix seems to have done it thing and here is the contents of ComboFix.txt...
Thanks again for your time helping me with this,
Paul

ComboFix 10-07-04.02 - Paul 05/07/2010 12:38:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.520 [GMT 10:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
.
The following files were disabled during the run:
f:\program files\SuperCopier2\SC2Hook.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\notepad.original0.exe
f:\my documents\SYS
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))
.

2010-07-02 06:31 . 2010-07-05 02:19 -------- d-----w- C:\Downloads
2010-07-02 05:12 . 2010-07-02 05:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-02 05:09 . 2010-07-02 05:09 -------- d-----w- c:\documents and settings\Paul\.limewire
2010-07-02 05:09 . 2010-07-02 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-14 06:47 . 2010-06-14 06:47 -------- d-----w- c:\program files\Microsoft LifeChat
2010-06-13 14:47 . 2010-06-13 14:47 -------- d-----w- c:\program files\Common Files\Custom
2010-06-13 13:54 . 2010-06-13 13:54 438272 ----a-w- c:\windows\system32\w32spl.dll
2010-06-13 13:54 . 2010-06-13 13:54 21504 ----a-w- c:\windows\system32\cfginfo.dll
2010-06-12 06:01 . 2010-06-12 06:01 -------- d-----w- c:\windows\XSxS
2010-06-12 06:01 . 2010-06-12 06:01 -------- d-----w- c:\program files\Xenocode
2010-06-12 06:01 . 2010-06-12 06:01 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Xenocode
2010-06-11 09:15 . 2010-06-11 09:15 -------- d-----w- c:\windows\system32\sda
2010-06-11 09:15 . 2010-03-04 08:30 313888 ----a-r- c:\windows\system32\RtsUStor.dll
2010-06-11 09:15 . 2009-08-03 08:45 249856 ----a-r- c:\windows\system32\RtsUCcid.dll
2010-06-11 09:14 . 2010-03-04 08:30 9112096 ------r- c:\windows\system32\RTSUSTORicon.dll
2010-06-11 09:13 . 2010-03-12 03:23 189984 ------r- c:\windows\system32\drivers\RtsUStor.sys
2010-06-11 09:13 . 2009-08-10 04:45 44032 ------r- c:\windows\system32\drivers\RtsUCcid.sys
2010-06-11 09:13 . 2009-03-04 08:45 17536 ------r- c:\windows\system32\drivers\RtsUIr.sys
2010-06-11 09:13 . 2010-06-11 09:13 -------- d-----w- c:\program files\Realtek
2010-06-09 23:13 . 2010-03-04 14:00 632832 ----a-w- c:\windows\notepad.exe
2010-06-09 00:10 . 2010-06-09 00:10 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 02:52 . 2009-03-14 01:01 -------- d-----w- c:\documents and settings\Paul\Application Data\MailWasherPro
2010-07-05 02:50 . 2009-04-26 05:19 -------- d-----w- c:\documents and settings\Paul\Application Data\WTablet
2010-07-05 02:46 . 2009-04-16 13:02 -------- d-----w- c:\documents and settings\Paul\Application Data\Free Download Manager
2010-07-05 02:01 . 2009-03-13 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-27 21:19 . 2010-01-01 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-17 20:20 . 2009-04-15 04:04 -------- d-----w- c:\documents and settings\Paul\Application Data\uTorrent
2010-06-16 00:37 . 2009-03-08 13:31 243520 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 09:13 . 2009-03-08 13:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-10 03:18 . 2009-03-14 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-05-24 08:56 . 2010-05-24 08:56 503808 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d692616-n\msvcp71.dll
2010-05-24 08:56 . 2010-05-24 08:56 499712 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d692616-n\jmc.dll
2010-05-24 08:56 . 2010-05-24 08:56 348160 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d692616-n\msvcr71.dll
2010-05-24 08:56 . 2010-05-24 08:56 61440 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7492a490-n\decora-sse.dll
2010-05-24 08:56 . 2010-05-24 08:56 12800 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7492a490-n\decora-d3d.dll
2010-05-20 00:05 . 2010-05-19 23:56 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-20 00:05 . 2010-05-19 23:56 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-19 23:58 . 2010-05-19 23:56 88 --sh--r- c:\documents and settings\All Users\Application Data\DB14D8EA2B.sys
2010-05-19 23:58 . 2010-05-19 23:56 88 --sh--r- c:\documents and settings\All Users\Application Data\DB14D8EA2B.sys
2010-05-19 23:56 . 2010-05-19 23:42 -------- d-----w- c:\documents and settings\Paul\Application Data\Corel
2010-05-19 23:53 . 2010-05-19 23:53 -------- d-----w- c:\documents and settings\Paul\Application Data\Ulead Systems
2010-05-19 23:50 . 2010-05-19 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2010-05-19 23:49 . 2010-05-19 23:49 -------- d-----w- c:\program files\Corel
2010-05-19 23:49 . 2010-05-19 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-05-19 23:49 . 2010-05-19 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-05-19 23:44 . 2010-05-19 23:40 -------- d-----w- c:\program files\Common Files\Corel
2010-05-19 23:38 . 2010-05-19 23:38 -------- d-----w- c:\program files\Windows Media Components
2010-05-19 23:38 . 2010-05-19 23:38 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-05-10 21:52 . 2010-05-10 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-07 02:55 . 2010-05-07 02:55 255472 ----a-w- c:\documents and settings\Paul\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 20:59 . 2009-03-13 11:38 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-03-13 11:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-03-13 11:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-03-13 11:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-03-13 11:39 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-03-13 11:39 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-03-13 11:39 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-03-13 11:39 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-04 17:20 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-12 13:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-12 13:33 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 11:33 . 2010-04-26 11:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30 . 2004-08-12 13:17 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="f:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"Free Download Manager"="f:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]
"Google Update"="c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-26 133104]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"PDF3 Registry Controller"="f:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe" [2005-08-25 106496]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless G DWA-110"="f:\program files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe" [2008-04-15 1675264]
"GrooveMonitor"="f:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Paul\Start Menu\Programs\Startup\
MailWasherPro.lnk - f:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2009-3-14 18169048]
OneNote 2007 Screen Clipper and Launcher.lnk - f:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
108Mbps Wireless Network USB Dongle Configuration Utility.lnk - c:\program files\108Mbps Wireless Network USB Dongle\WLANPRO.exe [2009-3-9 2494464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CustomComposition"= {a6827f27-d0cc-4e37-bbaa-892a93328d4a} - c:\program files\Common Files\Custom\CustomComposition.dll [2010-06-13 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 02:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"f:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessengerold.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"E:0\\TEXTFILE\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"E:0\\TEXTFILE\\Program Files\\CA\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Xenocode\\Sandbox\\2010.06.06T15.11\\Native\\STUBEXE\\8.0.1135\\@LOCAL@\\DEVICE\\HARDDISKVOLUME3\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [22/03/2009 2:59 PM 40496]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [11/03/2009 9:26 PM 25000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [13/03/2009 9:39 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13/03/2009 9:39 PM 19024]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [23/03/2009 7:59 PM 10384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [26/04/2009 3:18 PM 2789160]
S1 SASDIFSV;SASDIFSV;\??\g:\program files\SAS\SASDIFSV.SYS --> g:\program files\SAS\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\g:\program files\SAS\SASKUTIL.sys --> g:\program files\SAS\SASKUTIL.sys [?]
S2 gupdate1c9b10ee5ebf738;Google Update Service (gupdate1c9b10ee5ebf738);c:\program files\Google\Update\GoogleUpdate.exe [30/03/2009 6:09 PM 133104]
S3 ATHFMWDL;Wireless predator Bootloader driver;c:\windows\system32\drivers\athfmwdl.sys [9/03/2009 1:10 PM 43264]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\90.tmp --> c:\windows\system32\90.tmp [?]
S3 pbfilter;pbfilter;f:\program files\PeerBlock\pbfilter.sys [10/11/2009 8:25 AM 14424]
S3 RSUSBCCID;Realtek Smartcard Reader Driver;c:\windows\system32\drivers\RtsUCcid.sys [11/06/2010 7:13 PM 44032]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/06/2010 7:13 PM 189984]
S3 RtsUIr;Realtek IR Driver;c:\windows\system32\drivers\RtsUIr.sys [11/06/2010 7:13 PM 17536]
S3 SASENUM;SASENUM;\??\g:\program files\SAS\SASENUM.SYS --> g:\program files\SAS\SASENUM.SYS [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [26/04/2009 3:18 PM 15656]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 08:09]

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 08:09]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-343818398-839522115-1003Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 23:42]

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-343818398-839522115-1003UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 23:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - g:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - g:\program files\DAP\dapextie.htm
IE: Append to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - g:\program files\DAP\dapextie2.htm
IE: Download all with Free Download Manager - file://f:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://f:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://f:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://f:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with Scansoft PDF Converter 3.0 - f:\program files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
Trusted Zone: 5gigs.net\www
TCP: {45F34056-2FA4-4110-B1A8-85BD050526FF} = 210.15.254.240,210.15.254.241
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\g92qmqts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?rls=ig
FF - component: f:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Paul\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: f:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - g:\program files\SAS\SUPERAntiSpyware.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Corel File Shell Monitor - f:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - g:\program files\SAS\SASSEH.DLL
Notify-!SASWinLogon - g:\program files\SAS\SASWINLO.dll
MSConfigStartUp-msavsc - c:\program files\Microsoft Security Adviser\msavsc.exe
MSConfigStartUp-msctrl - c:\program files\Microsoft Security Adviser\msctrl.exe
MSConfigStartUp-msfw - c:\program files\Microsoft Security Adviser\msfw.exe
MSConfigStartUp-msiemon - c:\program files\Microsoft Security Adviser\msiemon.exe
MSConfigStartUp-mssadv - c:\program files\Microsoft Security Adviser\msfw.exe
MSConfigStartUp-msscan - c:\program files\Microsoft Security Adviser\msscan.exe
AddRemove-Download Accelerator Plus (DAP) - g:\progra~1\DAP\DAPREMOVE.EXE
AddRemove-Mount&Blade - g:\program files\Mount&Blade\uninstall.exe
AddRemove-WinLiveSuite_Wave3 - c:\program files\Windows Live\Installer\wlarp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-05 12:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Paul\LOCALS~1\Temp\mc24.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\90.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-343818398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0357FABB-FA73-BD87-A557-21FBC1956B73}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmiphffgdkohlfcjhmfocadppnlnalhba"=hex:61,62,6b,6a,64,67,62,69,6d,61,6c,63,
64,65,62,63,65,64,6e,6c,67,6c,70,64,61,63,63,68,6d,63,68,61,69,64,00,77
"bbmiphffgdkohlfcjhhfboeeldgolmgcokhk"=hex:61,62,6e,6a,62,67,63,65,62,6b,6e,6b,
62,68,62,64,6c,62,65,64,6e,6c,65,6d,65,62,6a,6a,69,6d,70,6e,6e,70,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\WININET.dll
f:\program files\SuperCopier2\SC2Hook.dll
f:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\Custom\CustomComposition.dll
f:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\Ati2evxx.exe
f:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
f:\program files\java\jre6\bin\jqs.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
f:\program files\Logitech\SetPoint\SetPoint.exe
f:\program files\Opdicom\OpdiTracker\OptT3STA.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\control.exe
.
**************************************************************************
.
Completion time: 2010-07-05 13:01:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-05 03:01

Pre-Run: 2,591,068,160 bytes free
Post-Run: 2,799,497,216 bytes free

- - End Of File - - DD90F6CC81A87DCB07B39A95C3E8E632

Edited by Aussie_Paul, 04 July 2010 - 10:36 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 05 July 2010 - 01:28 AM

Thanks for the detailed feedback.

Do you have any idea why the original notepad.exe is replaced?
  1. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      CODE
      :filefind
      notepad.*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

  2. Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    c:\windows\notepad.exe

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.


#9 Aussie_Paul

Aussie_Paul
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 05 July 2010 - 08:42 AM

Hi farbar The computer is working much better now, in fact it appears to be back to normal.

I replaced notepad with notepad2 some time ago. IMO Notepad 2 is a better notepad than the version that comes with MS windows XP.
I have done the downloads and scans, here are the results.

Cheers,
Paul.
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:57 on 05/07/2010 by Paul (Administrator - Elevation successful)

========== filefind ==========

Searching for "notepad.*"
C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Notepad.lnk --a--- 1519 bytes [13:12 08/03/2009] [13:12 08/03/2009] 7591D398EA6D5D7E9A7AF5A970E4BD9D
C:\Documents and Settings\Paul\Start Menu\Programs\Accessories\Notepad.lnk --a--- 1521 bytes [13:16 08/03/2009] [23:22 09/06/2010] 22FC94430D177CAF391DD7346BBB1DC5
C:\Qoobox\Quarantine\C\WINDOWS\notepad.original0.exe.vir --a--- 69120 bytes [01:05 13/03/2009] [00:12 14/04/2008] 5E28284F9B5F9097640D58A73D38AD4C
C:\WINDOWS\$NtServicePackUninstall$\notepad.exe -----c 69120 bytes [04:21 09/03/2009] [13:25 12/08/2004] 388B8FBC36A8558587AFC90FB23A3B99
C:\WINDOWS\Help\notepad.chm --a--- 25236 bytes [13:25 12/08/2004] [13:25 12/08/2004] CC28209EAE1F1C3012ACD5FE3E2BF9B9
C:\WINDOWS\Help\notepad.hlp --a--- 12521 bytes [13:25 12/08/2004] [13:25 12/08/2004] EB9D47ECA3C4621620C37170E70AE647
C:\WINDOWS\notepad.backup --a--- 266752 bytes [11:25 08/09/2009] [14:00 30/10/2008] 3779B0B103DD8C8818A7BB1BDFA2AAE4
C:\WINDOWS\notepad.exe --a--- 632832 bytes [23:13 09/06/2010] [14:00 04/03/2010] 4E539DE24AA6E2709DD50028215EF529
C:\WINDOWS\ServicePackFiles\i386\notepad.exe --a--- 577024 bytes [00:12 14/04/2008] [14:00 27/07/2009] C98313F5248497A8606215DCAC5CB945
C:\WINDOWS\ServicePackFiles\i386\notepad.original0.exe --a--- 69120 bytes [01:05 13/03/2009] [00:12 14/04/2008] 5E28284F9B5F9097640D58A73D38AD4C
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Notepad.lnk --a--- 1519 bytes [13:14 08/03/2009] [13:12 08/03/2009] 7591D398EA6D5D7E9A7AF5A970E4BD9D
C:\WINDOWS\system32\dllcache\notepad.exe --a--c 577024 bytes [01:05 13/03/2009] [14:00 27/07/2009] C98313F5248497A8606215DCAC5CB945
C:\WINDOWS\system32\notepad.backup --a--- 266752 bytes [11:39 08/09/2009] [14:00 30/10/2008] 3779B0B103DD8C8818A7BB1BDFA2AAE4
C:\WINDOWS\system32\notepad.exe --a--- 632832 bytes [13:25 12/08/2004] [14:00 04/03/2010] 4E539DE24AA6E2709DD50028215EF529
C:\WINDOWS\system32\notepad.ini --a--- 23126 bytes [01:05 13/03/2009] [03:37 05/07/2010] 551DDA949343BE9088090708BB9C2FED
C:\WINDOWS\system32\notepad.original0.exe --a--- 69120 bytes [01:05 13/03/2009] [00:12 14/04/2008] 5E28284F9B5F9097640D58A73D38AD4C

-=End Of File=-



File notepad.exe received on 2010.07.05 13:45:11 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.05 -
AhnLab-V3 2010.07.03.00 2010.07.03 -
AntiVir 8.2.4.2 2010.07.05 -
Antiy-AVL 2.0.3.7 2010.07.02 -
Authentium 5.2.0.5 2010.07.04 -
Avast 4.8.1351.0 2010.07.05 -
Avast5 5.0.332.0 2010.07.05 -
AVG 9.0.0.836 2010.07.05 -
BitDefender 7.2 2010.07.05 -
CAT-QuickHeal 11.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.07.05 -
Comodo 5326 2010.07.05 -
DrWeb 5.0.2.03300 2010.07.05 -
eSafe 7.0.17.0 2010.07.05 -
eTrust-Vet 36.1.7687 2010.07.05 -
F-Prot 4.6.1.107 2010.07.04 -
F-Secure 9.0.15370.0 2010.07.05 -
Fortinet 4.1.133.0 2010.07.04 -
GData 21 2010.07.05 -
Ikarus T3.1.1.84.0 2010.07.05 -
Jiangmin 13.0.900 2010.07.03 -
Kaspersky 7.0.0.125 2010.07.05 -
McAfee 5.400.0.1158 2010.07.05 -
McAfee-GW-Edition 2010.1 2010.07.05 -
Microsoft 1.5902 2010.07.03 -
NOD32 5252 2010.07.05 -
Norman 6.05.10 2010.07.05 -
nProtect 2010-07-05.01 2010.07.05 -
Panda 10.0.2.7 2010.07.04 -
PCTools 7.0.3.5 2010.07.05 -
Rising 22.55.00.04 2010.07.05 -
Sophos 4.54.0 2010.07.05 -
Sunbelt 6545 2010.07.05 -
Symantec 20101.1.0.89 2010.07.05 -
TheHacker 6.5.2.1.308 2010.07.05 -
TrendMicro 9.120.0.1004 2010.07.05 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.05 -
VBA32 3.12.12.5 2010.07.05 -
ViRobot 2010.6.29.3912 2010.07.05 -
VirusBuster 5.0.27.0 2010.07.05 -
Additional information
File size: 632832 bytes
MD5...: 4e539de24aa6e2709dd50028215ef529
SHA1..: ed34bd86825084028fa994daa91c99ac95c5374f
SHA256: 6969d5f7b6477bef89cbd9137681ee4c0b4682584f13b77579aedba6b9fbef28
ssdeep: 6144:1qnptfIIO/g6qs+i77YvuteegHOAikHXjKPcAU3eJInt4xPrSetS1FDtcjq
4b7gf:Utfw2+eVZ5jKdU3rnqxPrSD4bEtjn
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x634f8
timedatestamp.....: 0x4b90c8d2 (Fri Mar 05 09:03:14 2010)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x68530 0x68600 6.63 ad73b3d5fb6cbe1271dccda5a8b26235
.data 0x6a000 0x1f890 0x18000 0.74 a77949cccfdb69f390382fa8e98838d2
.rsrc 0x8a000 0x19c30 0x19e00 4.68 6f3fd69a7fc59c8b282c26a2cf9d7578

( 12 imports )
> KERNEL32.dll: GetDateFormatW, SetFileAttributesW, GetLocalTime, FreeLibrary, LoadLibraryW, SetErrorMode, GetVersion, LeaveCriticalSection, EnterCriticalSection, QueryPerformanceCounter, IsDBCSLeadByteEx, DeleteCriticalSection, LoadLibraryA, InitializeCriticalSection, GetVersionExW, GetLocaleInfoA, GetTimeFormatW, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoA, InterlockedCompareExchange, Sleep, InterlockedExchange, RtlUnwind, FindFirstChangeNotificationW, FindFirstFileW, FindClose, CompareFileTime, FindNextChangeNotification, GetStartupInfoW, FindCloseChangeNotification, CreateProcessW, GetLongPathNameW, GetTickCount, GetPrivateProfileStringW, GetCommandLineW, SearchPathW, FindResourceW, LoadResource, LockResource, SizeofResource, FreeResource, MulDiv, WritePrivateProfileSectionW, GetPrivateProfileSectionW, GetLocaleInfoW, ExpandEnvironmentStringsW, GetWindowsDirectoryW, GetCurrentProcess, GetModuleHandleA, SetEndOfFile, WriteFile, CreateFileW, GetLastError, GetFileSize, ReadFile, lstrcmpiA, lstrcmpA, lstrcpynA, GetModuleHandleW, GetProcAddress, lstrlenA, GlobalSize, IsValidCodePage, GetCPInfo, GetACP, GetOEMCP, LocalSize, GlobalLock, lstrcpyA, GlobalUnlock, MultiByteToWideChar, WideCharToMultiByte, lstrcmpW, GetPrivateProfileIntW, LocalAlloc, CreateThread, GlobalAlloc, CreateEventW, CloseHandle, GlobalFree, ResetEvent, WaitForSingleObject, GetFileAttributesW, SetEvent, ExitThread, WritePrivateProfileStringW, lstrcpynW, lstrcatW, lstrcmpiW, GetModuleFileNameW, lstrcpyW, GetCurrentDirectoryW, FormatMessageW, LocalFree, lstrlenW
> USER32.dll: RegisterClipboardFormatW, SetCaretPos, GetUpdateRgn, MsgWaitForMultipleObjects, GetMessageTime, IsWindowUnicode, SetForegroundWindow, DrawAnimatedRects, FindWindowExW, SystemParametersInfoW, CreateDialogIndirectParamW, DialogBoxIndirectParamW, GetMenu, GetMenuState, GetDC, ReleaseDC, GetSysColor, InvalidateRect, SetRect, MapWindowPoints, DeferWindowPos, GetClientRect, AdjustWindowRectEx, GetMenuStringW, GetSystemMetrics, GetWindowRect, MonitorFromRect, GetMonitorInfoW, SetWindowPos, HideCaret, SetCursor, DestroyCursor, DestroyWindow, GetSystemMenu, InsertMenuW, IsWindowEnabled, SetFocus, wsprintfA, IsCharLowerA, IsCharUpperW, CharLowerW, IsCharLowerW, CharUpperW, IsCharAlphaNumericA, CharLowerA, CharNextW, EmptyClipboard, SetClipboardData, IsClipboardFormatAvailable, OpenClipboard, GetClipboardData, CloseClipboard, CreateWindowExW, GetCaretBlinkTime, GetParent, LoadIconW, LoadImageW, GetDlgItemInt, SetDlgItemInt, DestroyCaret, CreateCaret, ShowCaret, AppendMenuA, GetScrollInfo, SetScrollInfo, ScrollWindow, GetKeyboardLayout, CreatePopupMenu, RegisterClassExW, ReleaseCapture, InflateRect, DrawTextW, DrawTextA, DrawFocusRect, FrameRect, GetKeyState, GetDoubleClickTime, CallWindowProcW, BeginPaint, EndPaint, SetCapture, FillRect, MessageBoxW, RegisterWindowMessageW, LoadAcceleratorsW, GetMessageW, TranslateAcceleratorW, IsChild, IsDialogMessageW, UnregisterClassW, RegisterClassW, ChangeClipboardChain, PostQuitMessage, GetDlgCtrlID, LoadMenuW, ScreenToClient, ClientToScreen, GetCursorPos, GetSubMenu, TrackPopupMenuEx, DestroyMenu, DefWindowProcW, ShowOwnedPopups, SetMenuDefaultItem, TrackPopupMenu, IsWindow, IntersectRect, SetClipboardViewer, SetActiveWindow, GetWindowPlacement, IsZoomed, SetTimer, KillTimer, EnumWindows, IsIconic, ShowWindowAsync, IsWindowVisible, GetClassNameW, UpdateWindow, EnableMenuItem, CheckMenuItem, CheckMenuRadioItem, CountClipboardFormats, CharUpperBuffW, SetWindowTextW, LoadCursorW, CheckRadioButton, GetPropW, PeekMessageW, TranslateMessage, DispatchMessageW, SetPropW, CheckDlgButton, RemovePropW, IsDlgButtonChecked, GetWindowTextLengthW, GetWindowLongW, MessageBeep, SetWindowLongW, BeginDeferWindowPos, EndDeferWindowPos, EnableWindow, PostMessageW, EndDialog, SetDlgItemTextW, SendDlgItemMessageW, GetDlgItem, wsprintfW, MessageBoxExW, GetFocus, IsCharAlphaNumericW, CharPrevW, wvsprintfW, LoadStringW, MessageBoxIndirectW, SendMessageW, GetDlgItemTextW, ShowWindow
> GDI32.dll: LineTo, Polygon, Rectangle, ExtTextOutW, SetBkColor, CreatePatternBrush, RoundRect, Ellipse, BitBlt, GetTextExtentPoint32A, GetTextMetricsW, RealizePalette, IntersectClipRect, CreateFontIndirectA, SelectPalette, GetTextExtentExPointA, MoveToEx, SetTextColor, ExtTextOutA, SetBkMode, EndDoc, EndPage, StartPage, StartDocW, CreateFontW, DPtoLP, CombineRgn, CreateRectRgn, CreateBitmap, CreatePalette, GetDeviceCaps, TranslateCharsetInfo, SelectObject, GetNearestColor, CreateSolidBrush, CreatePen, CreateCompatibleBitmap, CreateCompatibleDC, GetTextExtentExPointW, SetTextAlign, SetMapMode, GetTextExtentPoint32W, DeleteObject, GetStockObject, GetObjectW, CreateDIBSection, DeleteDC, CreateFontIndirectW
> ADVAPI32.dll: IsTextUnicode, OpenProcessToken, GetTokenInformation
> SHELL32.dll: SHGetPathFromIDListW, ShellExecuteW, ShellExecuteExW, SHGetFileInfoW, SHGetDataFromIDListW, SHGetDesktopFolder, SHGetMalloc, SHGetFolderPathW, -, SHGetSpecialFolderPathW, SHAppBarMessage, SHCreateDirectoryExW, Shell_NotifyIconW, DragAcceptFiles, SHAddToRecentDocs, DragFinish, DragQueryFileW, SHBrowseForFolderW
> SHLWAPI.dll: StrCmpNIW, StrDupA, StrTrimA, StrDupW, StrCatBuffA, StrChrA, StrCmpNIA, StrChrIA, UrlUnescapeW, UrlEscapeW, StrNCatW, StrCmpW, StrStrIA, PathUnExpandEnvStringsW, StrRetToBufW, PathMatchSpecW, StrChrW, PathUnquoteSpacesW, PathIsUNCW, PathFileExistsW, PathFindFileNameW, PathQuoteSpacesW, PathRemoveFileSpecW, SHAutoComplete, StrTrimW, StrCatBuffW, PathCommonPrefixW, PathAppendW, PathIsPrefixW, PathIsRelativeW, PathCanonicalizeW, PathIsRootW, StrCatW, StrStrW, PathGetDriveNumberW, PathFindExtensionW, PathIsDirectoryW, StrChrIW, PathRenameExtensionW, StrRChrW, StrFormatByteSizeW, PathCompactPathExW, StrCmpNA, StrStrIW, StrCpyNW, PathRelativePathToW
> COMDLG32.dll: ChooseFontW, PrintDlgW, PageSetupDlgW, GetSaveFileNameW, GetOpenFileNameW, ChooseColorW
> COMCTL32.dll: ImageList_AddMasked, -, CreateStatusWindowW, ImageList_Create, ImageList_Destroy, InitCommonControlsEx
> IMM32.dll: ImmReleaseContext, ImmGetCompositionStringW, ImmGetContext, ImmSetCompositionFontA, ImmNotifyIME, ImmSetCompositionWindow
> ole32.dll: RegisterDragDrop, RevokeDragDrop, DoDragDrop, OleInitialize, OleUninitialize, CoCreateInstance, CoInitialize, CoUninitialize
> msvcrt.dll: tolower, strncat, swscanf, strcmp, isalpha, strstr, atoi, memcmp, isspace, wcsftime, mktime, iscntrl, __CxxFrameHandler, __1type_info@@UAE@XZ, _terminate@@YAXXZ, _unlock, toupper, _lock, _onexit, _ismbblead, __getmainargs, _cexit, _exit, _XcptFilter, exit, _acmdln, _initterm, _amsg_exit, __setusermatherr, __p__commode, __p__fmode, __set_app_type, _controlfp, abs, sprintf, _swab, sscanf, qsort, isupper, islower, isdigit, ispunct, _purecall, memcpy, memset, isalnum, memmove, __2@YAPAXI@Z, strcpy, __3@YAXPAX@Z, strlen, __dllonexit, strchr, strncpy, strncmp
> msvcp60.dll: __Mstd@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@0@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBDIABV_$allocator@D@1@@Z, __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@ABV01@@Z, _find@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIPBDI@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@IIABV_$allocator@D@1@@Z, _erase@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@II@Z, _insert@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@IPBDI@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBDABV_$allocator@D@1@@Z, __Y_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@ABV01@@Z, __0_Lockit@std@@QAE@XZ, __1_Lockit@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV_$allocator@D@1@@Z, __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, __Y_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@IDABV_$allocator@D@1@@Z, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: n/a
copyright....: © Florian Balmer 2004-2010
product......: n/a
description..: Notepad2
original name: Notepad2.exe
internal name: Notepad2
file version.: 4.1.24
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Edited by Aussie_Paul, 05 July 2010 - 09:01 AM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 05 July 2010 - 12:57 PM

I noticed notepad.exe was replaced, just wanted to make sure there has been no malicious patching.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/326896/search-engines-are-redirecting-me/

Collect::
c:\docume~1\Paul\LOCALS~1\Temp\mc24.tmp
Driver::
mchInjDrv
RegNull::
[HKEY_USERS\S-1-5-21-1935655697-343818398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0357FABB-FA73-BD87-A557-21FBC1956B73}*]
RegLockDel::
[HKEY_USERS\S-1-5-21-1935655697-343818398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0357FABB-FA73-BD87-A557-21FBC1956B73}*]
[HKEY_USERS\S-1-5-21-1935655697-343818398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0357FABB-FA73-BD87-A557-21FBC1956B73}]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
ComboFix might upload a file for analysis. Don't be alarmed.


#11 Aussie_Paul

Aussie_Paul
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 05 July 2010 - 05:22 PM

Hi farbar, I ran the script in combofix as you instructed me to. Here is the latest log that combofix has published.
Nothing came up on the screen to indicate that Combofix uploaded a file for evaluation.
It did ask to update to a later version and I allowed that.

Before I post the log there is something else I have noticed. This behaviour was happening from about the time that the computer started to not work properly. It is still happening now.
When I start the computer it goes through the bootup process and at the very end of that process(about the same time it loads mailwasher), This box opens
Attached File  IMG_01_Jul._06_08.03.gif   6.67KB   4 downloads

I have worked out that is is related to my Radon Graphics card controlling software. I wont do anything about it till we finish this process but I think if I just reinstall that software from the cd rom it should fix it. I'm just telling you this to keep you abreast of what I am seeing from this end that may not be apparent to you. As I said earlier this behaviour was happening before we started the repair process. I am mentioning it because it is the only thing I have seen that is still not right.
Anyway, here is the report.
Thanks again for your assistance with this.
Regards, Paul

ComboFix 10-07-04.04 - Paul 06/07/2010 7:22.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.533 [GMT 10:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV


((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))
.

2010-07-02 06:31 . 2010-07-05 02:19 -------- d-----w- C:\Downloads
2010-07-02 05:12 . 2010-07-02 05:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-02 05:09 . 2010-07-02 05:09 -------- d-----w- c:\documents and settings\Paul\.limewire
2010-07-02 05:09 . 2010-07-02 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-14 06:47 . 2010-06-14 06:47 -------- d-----w- c:\program files\Microsoft LifeChat
2010-06-13 14:47 . 2010-06-13 14:47 -------- d-----w- c:\program files\Common Files\Custom
2010-06-13 13:54 . 2010-06-13 13:54 438272 ----a-w- c:\windows\system32\w32spl.dll
2010-06-13 13:54 . 2010-06-13 13:54 21504 ----a-w- c:\windows\system32\cfginfo.dll
2010-06-12 06:01 . 2010-06-12 06:01 -------- d-----w- c:\windows\XSxS
2010-06-12 06:01 . 2010-06-12 06:01 -------- d-----w- c:\program files\Xenocode
2010-06-12 06:01 . 2010-06-12 06:01 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Xenocode
2010-06-11 09:15 . 2010-06-11 09:15 -------- d-----w- c:\windows\system32\sda
2010-06-11 09:15 . 2010-03-04 08:30 313888 ----a-r- c:\windows\system32\RtsUStor.dll
2010-06-11 09:15 . 2009-08-03 08:45 249856 ----a-r- c:\windows\system32\RtsUCcid.dll
2010-06-11 09:14 . 2010-03-04 08:30 9112096 ------r- c:\windows\system32\RTSUSTORicon.dll
2010-06-11 09:13 . 2010-03-12 03:23 189984 ------r- c:\windows\system32\drivers\RtsUStor.sys
2010-06-11 09:13 . 2009-08-10 04:45 44032 ------r- c:\windows\system32\drivers\RtsUCcid.sys
2010-06-11 09:13 . 2009-03-04 08:45 17536 ------r- c:\windows\system32\drivers\RtsUIr.sys
2010-06-11 09:13 . 2010-06-11 09:13 -------- d-----w- c:\program files\Realtek
2010-06-09 23:13 . 2010-03-04 14:00 632832 ----a-w- c:\windows\notepad.exe
2010-06-09 00:10 . 2010-06-09 00:10 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 21:34 . 2009-03-14 01:01 -------- d-----w- c:\documents and settings\Paul\Application Data\MailWasherPro
2010-07-05 21:30 . 2009-04-26 05:19 -------- d-----w- c:\documents and settings\Paul\Application Data\WTablet
2010-07-05 21:25 . 2009-04-16 13:02 -------- d-----w- c:\documents and settings\Paul\Application Data\Free Download Manager
2010-07-05 02:01 . 2009-03-13 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-27 21:19 . 2010-01-01 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-17 20:20 . 2009-04-15 04:04 -------- d-----w- c:\documents and settings\Paul\Application Data\uTorrent
2010-06-16 00:37 . 2009-03-08 13:31 243520 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 09:13 . 2009-03-08 13:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-10 03:18 . 2009-03-14 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-05-20 00:05 . 2010-05-19 23:56 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-19 23:58 . 2010-05-19 23:56 88 --sh--r- c:\documents and settings\All Users\Application Data\DB14D8EA2B.sys
2010-05-19 23:56 . 2010-05-19 23:42 -------- d-----w- c:\documents and settings\Paul\Application Data\Corel
2010-05-19 23:53 . 2010-05-19 23:53 -------- d-----w- c:\documents and settings\Paul\Application Data\Ulead Systems
2010-05-19 23:50 . 2010-05-19 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2010-05-19 23:49 . 2010-05-19 23:49 -------- d-----w- c:\program files\Corel
2010-05-19 23:49 . 2010-05-19 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-05-19 23:49 . 2010-05-19 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-05-19 23:44 . 2010-05-19 23:40 -------- d-----w- c:\program files\Common Files\Corel
2010-05-19 23:38 . 2010-05-19 23:38 -------- d-----w- c:\program files\Windows Media Components
2010-05-19 23:38 . 2010-05-19 23:38 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-05-10 21:52 . 2010-05-10 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-06 20:59 . 2009-03-13 11:38 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-03-13 11:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-03-13 11:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-03-13 11:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-03-13 11:39 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-03-13 11:39 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-03-13 11:39 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-03-13 11:39 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-04 17:20 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-12 13:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-12 13:33 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 11:33 . 2010-04-26 11:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30 . 2004-08-12 13:17 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="f:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"Free Download Manager"="f:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]
"Google Update"="c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-26 133104]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"PDF3 Registry Controller"="f:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe" [2005-08-25 106496]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless G DWA-110"="f:\program files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe" [2008-04-15 1675264]
"GrooveMonitor"="f:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Paul\Start Menu\Programs\Startup\
MailWasherPro.lnk - f:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2009-3-14 18169048]
OneNote 2007 Screen Clipper and Launcher.lnk - f:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
108Mbps Wireless Network USB Dongle Configuration Utility.lnk - c:\program files\108Mbps Wireless Network USB Dongle\WLANPRO.exe [2009-3-9 2494464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CustomComposition"= {a6827f27-d0cc-4e37-bbaa-892a93328d4a} - c:\program files\Common Files\Custom\CustomComposition.dll [2010-06-13 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 02:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"f:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessengerold.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"E:0\\TEXTFILE\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"E:0\\TEXTFILE\\Program Files\\CA\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Xenocode\\Sandbox\\2010.06.06T15.11\\Native\\STUBEXE\\8.0.1135\\@LOCAL@\\DEVICE\\HARDDISKVOLUME3\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [22/03/2009 2:59 PM 40496]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [11/03/2009 9:26 PM 25000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [13/03/2009 9:39 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13/03/2009 9:39 PM 19024]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [23/03/2009 7:59 PM 10384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [26/04/2009 3:18 PM 2789160]
S1 SASDIFSV;SASDIFSV;\??\g:\program files\SAS\SASDIFSV.SYS --> g:\program files\SAS\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\g:\program files\SAS\SASKUTIL.sys --> g:\program files\SAS\SASKUTIL.sys [?]
S2 gupdate1c9b10ee5ebf738;Google Update Service (gupdate1c9b10ee5ebf738);c:\program files\Google\Update\GoogleUpdate.exe [30/03/2009 6:09 PM 133104]
S3 ATHFMWDL;Wireless predator Bootloader driver;c:\windows\system32\drivers\athfmwdl.sys [9/03/2009 1:10 PM 43264]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\90.tmp --> c:\windows\system32\90.tmp [?]
S3 pbfilter;pbfilter;f:\program files\PeerBlock\pbfilter.sys [10/11/2009 8:25 AM 14424]
S3 RSUSBCCID;Realtek Smartcard Reader Driver;c:\windows\system32\drivers\RtsUCcid.sys [11/06/2010 7:13 PM 44032]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/06/2010 7:13 PM 189984]
S3 RtsUIr;Realtek IR Driver;c:\windows\system32\drivers\RtsUIr.sys [11/06/2010 7:13 PM 17536]
S3 SASENUM;SASENUM;\??\g:\program files\SAS\SASENUM.SYS --> g:\program files\SAS\SASENUM.SYS [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [26/04/2009 3:18 PM 15656]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MCHINJDRV
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 08:09]

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 08:09]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-343818398-839522115-1003Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 23:42]

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-343818398-839522115-1003UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 23:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - g:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - g:\program files\DAP\dapextie.htm
IE: Append to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - g:\program files\DAP\dapextie2.htm
IE: Download all with Free Download Manager - file://f:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://f:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://f:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://f:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with Scansoft PDF Converter 3.0 - f:\program files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
Trusted Zone: 5gigs.net\www
TCP: {45F34056-2FA4-4110-B1A8-85BD050526FF} = 210.15.254.240,210.15.254.241
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\g92qmqts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?rls=ig
FF - component: f:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Paul\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: f:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 07:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Paul\LOCALS~1\Temp\mc25.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\90.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1624)
c:\windows\system32\WININET.dll
f:\program files\SuperCopier2\SC2Hook.dll
f:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\Custom\CustomComposition.dll
f:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\Ati2evxx.exe
f:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
f:\program files\java\jre6\bin\jqs.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
f:\program files\Logitech\SetPoint\SetPoint.exe
f:\program files\Opdicom\OpdiTracker\OptT3STA.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-07-06 07:44:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-05 21:44
ComboFix2.txt 2010-07-05 03:01

Pre-Run: 2,787,713,024 bytes free
Post-Run: 2,776,584,192 bytes free

- - End Of File - - 498B6EECDBD8EF5B2FCDC978602E321B

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 05 July 2010 - 06:19 PM

Thanks for the detailed feedback. The error could be related to a corrupt Framework 2.0.

There is one malware entry we need to make sure is removed.

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    CODE
    Comment:
    start to process

    Drivers to delete:
    mchInjDrv

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv

    Files to delete:
    c:\documents and settings\Paul\LOCALS settings\Temp\mc25.tmp
  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


#13 Aussie_Paul

Aussie_Paul
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 05 July 2010 - 08:14 PM

Hi farbar. I downloaded Avenger and unzipped it as per your instructions.
I was not sure if both reboots would be done by the program or if I needed to perform the second reboot myself. The log file opened and was saved as you said. That happened after the first reboot. I waited for some time and it didn't reboot so I performed it myself. I saw just a flash of an opened dialogue box ...or a window as the computer went into the shutdown procedure.

I thought maybe even though I waited about 5 minutes I might have interrupted something that avenger was doing. So when it started again I renamed avenger.txt to avenger1.txt and ran avenger again. the results in the log were the same, including that it successfully deleted the mchInjDrv driver. I didn't expect it to be there again after it was deleted the first time.

I waited for 20 minutes this time but Avenger still did not put the computer into a second reboot.... so I did again.
The log files are not very long so I'm going to post both of them here for your perusal (even though apart from what I have mentioned they appear, to me, to be identical)
Thanks,
Paul

This is the log from the first time I ran Avenger (Now called Avenger1.txt)
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mchInjDrv" not found!
Deletion of driver "mchInjDrv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "c:\documents and settings\Paul\LOCALS settings\Temp\mc25.tmp"
Deletion of file "c:\documents and settings\Paul\LOCALS settings\Temp\mc25.tmp" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.
This is the log file from the second time I ran avenger ...(Avenger.txt)
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "mchInjDrv" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "c:\documents and settings\Paul\LOCALS settings\Temp\mc25.tmp"
Deletion of file "c:\documents and settings\Paul\LOCALS settings\Temp\mc25.tmp" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 06 July 2010 - 01:32 PM

There is a difference in two log:

QUOTE
Driver "mchInjDrv" deleted successfully.


The second log found the driver. It means it gets created again. The driver is not necessarily malicious. It can be used by security programs and that is the reason it will get created.
  1. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. If you want we will attend to the error. Basically you should uninstall .NET Framework 2.o and reinstall it again. See for a description and download of the clean up tool here:http://www.melissanava.com


#15 Aussie_Paul

Aussie_Paul
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ipswich, Qld, Australia.
  • Local time:05:20 PM

Posted 06 July 2010 - 07:36 PM

Hi farbar. I have a problem. I am writing this from my wifes computer because I cannot boot mine up anymore. I downloaded malwarebytes, installed it and updated the database. Ran the scan and went through the process to "remove selected". It said that it needed to reboot the computer so I agreed to that.
when it went to reboot it goes past the part where it flashes about the option to boot to windows or the recovery console and then a blue screen comes up saying a problem had been detected and windows has been shut down to protect my computer.
IO1 INITIALIZATION FAILED.
I have tried to boot into safe mode and into the recovery console but this message comes up each time.
Regards,
Paul




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users