Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 global72

global72

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 14 July 2010 - 03:05 AM

My browsers and search engines keep redirecting me to ad sites. I've run superantispyware, malwarebytes to no avail. Somebody please help! I ran hijack this and the analyzer and got the following:

Index % of PCs with item Code Data
1 0.0% F2 UserInit=C:\WINDOWS\system32\Userinit.exe
65 0.0% P01 C:\WINDOWS\Explorer.EXE
66 0.0% P01 C:\WINDOWS\system32\svchost.exe
67 0.0% P01 C:\WINDOWS\system32\lsass.exe
68 0.0% P01 C:\WINDOWS\system32\winlogon.exe
69 0.0% P01 C:\WINDOWS\system32\services.exe
70 0.0% P01 C:\WINDOWS\System32\smss.exe
71 0.0% P01 C:\WINDOWS\system32\spoolsv.exe
72 0.0% P01 C:\WINDOWS\system32\ctfmon.exe
73 0.0% P01 C:\Program Files\Internet Explorer\iexplore.exe
74 0.0% P01 C:\WINDOWS\system32\wuauclt.exe
75 0.0% P01 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
76 0.0% P01 C:\Program Files\Messenger\msmsgs.exe
77 0.0% P01 C:\WINDOWS\System32\hkcmd.exe
78 0.0% P01 C:\WINDOWS\system32\wscntfy.exe
79 0.0% P01 C:\WINDOWS\system32\igfxpers.exe
80 0.0% P01 C:\Program Files\Skype\Phone\Skype.exe
81 0.0% P01 C:\WINDOWS\system32\igfxsrvc.exe
82 0.0% P01 C:\Program Files\Skype\Plugin Manager\SkypePM.exe
83 0.0% P01 C:\WINDOWS\System32\bcmwltry.exe
84 0.0% P01 C:\WINDOWS\System32\WLTRYSVC.EXE
85 0.0% P01 C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
86 0.0% P01 C:\WINDOWS\system32\WLTRAY.exe
87 0.0% P01 C:\WINDOWS\system32\SearchIndexer.exe
88 0.0% P01 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
89 0.0% P01 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
90 0.0% P01 C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
91 0.0% P01 C:\Program Files\Creative\Mixer\CTSVolFE.exe
92 0.0% P01 C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
93 0.0% P01 C:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
94 0.0% P01 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
95 0.0% P01 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
96 0.0% P01 C:\Program Files\Common Files\Java\Java Update\jusched.exe
97 0.0% P01 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
98 0.0% P01 C:\Program Files\Java\jre6\bin\jqs.exe
99 0.0% P01 C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
100 0.0% P01 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
101 0.0% P01 C:\Documents and Settings\babucarr\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
102 0.0% P01 C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
103 0.0% P01 C:\Documents and Settings\babucarr\My Documents\Downloads\iexplore.exe
104 0.0% P01 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
105 0.0% P01 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
106 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
107 0.0% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
108 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
109 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
110 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
111 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
112 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
113 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
114 0.0% R1 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577








HijackThis Line Item Codes




R - Registry, StartPage/SearchPage changes

R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be

F - IniFiles, autoloading entries

F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry

N - Netscape/Mozilla StartPage/SearchPage changes

N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla

O - Other, several sections which represent:

O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
024 - Windows active desktop components



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:05 AM

Posted 14 July 2010 - 07:47 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.RKUnHooker
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 global72

global72
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 14 July 2010 - 05:21 PM


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/13/2009 2:32:27 PM
System Uptime: 7/14/2010 5:54:14 PM (1 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Microprocessor | 1662/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 17.806 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Realtek High Definition Audio
Device ID: ROOT\MEDIA\0000
Manufacturer: Realtek
Name: Realtek High Definition Audio
PNP Device ID: ROOT\MEDIA\0000
Service: IntcAzAudAddService

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Realtek High Definition Audio
Device ID: ROOT\MEDIA\0004
Manufacturer: Realtek
Name: Realtek High Definition Audio
PNP Device ID: ROOT\MEDIA\0004
Service: IntcAzAudAddService

==== System Restore Points ===================

RP273: 4/16/2010 1:47:36 PM - System Checkpoint
RP274: 4/17/2010 2:19:38 PM - System Checkpoint
RP275: 4/18/2010 5:34:11 PM - System Checkpoint
RP276: 4/19/2010 8:37:34 PM - System Checkpoint
RP277: 4/20/2010 7:40:10 AM - Software Distribution Service 3.0
RP278: 4/20/2010 11:59:14 AM - Software Distribution Service 3.0
RP279: 4/21/2010 3:08:36 PM - System Checkpoint
RP280: 4/22/2010 3:48:17 PM - System Checkpoint
RP281: 4/24/2010 11:40:17 AM - System Checkpoint
RP282: 4/25/2010 12:17:40 PM - System Checkpoint
RP283: 4/25/2010 10:35:14 PM - Software Distribution Service 3.0
RP284: 4/27/2010 7:05:32 AM - Software Distribution Service 3.0
RP285: 4/28/2010 11:59:46 AM - System Checkpoint
RP286: 4/29/2010 1:35:38 PM - System Checkpoint
RP287: 4/30/2010 5:16:34 PM - System Checkpoint
RP288: 5/2/2010 10:36:09 PM - System Checkpoint
RP289: 5/4/2010 9:04:23 AM - Software Distribution Service 3.0
RP290: 5/5/2010 4:50:24 PM - System Checkpoint
RP291: 5/7/2010 10:22:44 AM - System Checkpoint
RP292: 5/8/2010 12:47:17 PM - System Checkpoint
RP293: 5/9/2010 2:22:24 PM - System Checkpoint
RP294: 5/10/2010 6:28:22 PM - System Checkpoint
RP295: 5/11/2010 10:55:53 AM - Software Distribution Service 3.0
RP296: 5/13/2010 12:44:30 PM - System Checkpoint
RP297: 5/17/2010 2:45:53 PM - System Checkpoint
RP298: 5/18/2010 8:52:19 AM - Software Distribution Service 3.0
RP299: 5/19/2010 10:34:46 PM - System Checkpoint
RP300: 5/21/2010 9:52:14 AM - System Checkpoint
RP301: 5/23/2010 6:09:17 PM - System Checkpoint
RP302: 5/25/2010 3:58:25 AM - System Checkpoint
RP303: 5/25/2010 4:00:21 AM - Software Distribution Service 3.0
RP304: 5/26/2010 8:20:50 PM - System Checkpoint
RP305: 5/28/2010 7:26:07 PM - System Checkpoint
RP306: 5/29/2010 10:27:23 PM - System Checkpoint
RP307: 5/31/2010 9:07:30 AM - System Checkpoint
RP308: 6/1/2010 4:00:24 AM - Software Distribution Service 3.0
RP309: 6/1/2010 4:14:45 PM - Software Distribution Service 3.0
RP310: 6/3/2010 7:33:24 PM - System Checkpoint
RP311: 6/5/2010 9:26:58 PM - System Checkpoint
RP312: 6/6/2010 11:20:49 PM - System Checkpoint
RP313: 6/8/2010 8:23:41 AM - Software Distribution Service 3.0
RP314: 6/10/2010 7:00:17 PM - System Checkpoint
RP315: 6/12/2010 5:39:32 PM - System Checkpoint
RP316: 6/14/2010 1:24:16 PM - System Checkpoint
RP317: 6/15/2010 7:33:12 AM - Software Distribution Service 3.0
RP318: 6/16/2010 5:09:32 PM - System Checkpoint
RP319: 6/18/2010 10:42:41 PM - System Checkpoint
RP320: 6/20/2010 8:32:26 AM - System Checkpoint
RP321: 6/22/2010 10:48:34 AM - Software Distribution Service 3.0
RP322: 6/23/2010 11:09:06 PM - System Checkpoint
RP323: 6/25/2010 4:43:07 PM - System Checkpoint
RP324: 6/26/2010 11:45:06 AM - Software Distribution Service 3.0
RP325: 6/27/2010 9:17:56 PM - System Checkpoint
RP326: 6/29/2010 1:40:55 AM - System Checkpoint
RP327: 6/29/2010 4:00:26 AM - Software Distribution Service 3.0
RP328: 7/1/2010 4:29:28 PM - System Checkpoint
RP329: 7/3/2010 1:32:38 PM - System Checkpoint
RP330: 7/5/2010 12:08:02 AM - Installed Windows Internet Explorer 8.
RP331: 7/5/2010 11:48:31 PM - Software Distribution Service 3.0
RP332: 7/6/2010 8:55:29 AM - Software Distribution Service 3.0
RP333: 7/9/2010 3:34:44 PM - System Checkpoint
RP334: 7/10/2010 7:52:34 PM - System Checkpoint
RP335: 7/12/2010 1:35:09 PM - System Checkpoint
RP336: 7/13/2010 4:00:34 AM - Software Distribution Service 3.0
RP337: 7/14/2010 5:11:29 AM - System Checkpoint
RP338: 7/14/2010 4:11:04 PM - Installed Kaspersky Anti-Virus 2010.
RP339: 7/14/2010 5:56:42 PM - Restore Operation

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Belkin Wireless USB Utility
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dell Driver Download Manager
Dell Mobile Broadband Card Utility
Dell Wireless WLAN Card
Desktop Doctor
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InstallMgr
Intel® Graphics Media Accelerator Driver
Java Auto Updater
Java™ 6 Update 19
Kaspersky Anti-Virus 2010
LimeWire 5.2.13
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Word Viewer 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mixer
Move Media Player
Mozilla Firefox (3.6.6)
MSN Toolbar
Nokia Connectivity Cable Driver
Octoshape Streaming Services
OGA Notifier 2.0.0048.0
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
SigmaTel Audio
Skype web features
Skype™ 4.1
SlingPlayer
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB Demo
Spelling Dictionaries Support For Adobe Reader 9
TextBridge Pro 11.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebSlingPlayer ActiveX
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell™ 1.0
Windows PowerShell™ 1.0 MUI pack
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

7/9/2010 8:57:54 PM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.
7/9/2010 8:57:53 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/9/2010 8:57:53 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/8/2010 11:15:40 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/8/2010 11:15:32 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SRTSP SRTSPX SYMTDI Tcpip
7/8/2010 11:15:32 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
7/8/2010 11:15:32 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/8/2010 11:15:32 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/8/2010 11:15:32 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/8/2010 1:14:59 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
7/8/2010 1:13:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/14/2010 9:58:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IDSxpx86
7/14/2010 2:44:19 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
7/13/2010 4:04:36 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Office 2003 Service Pack 2.
7/13/2010 10:08:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
7/11/2010 10:42:02 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer YAHADDY-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C2AE092D-5F92-495. The master browser is stopping or an election is being forced.
7/10/2010 8:03:48 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 0016CE3A7C27 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================





DDS (Ver_10-03-17.01) - NTFSx86
Run by babucarr at 18:14:49.01 on Wed 07/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.474 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\babucarr\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\babucarr\Local Settings\Temporary Internet Files\Content.IE5\QIITJWVM\dds[1].pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Octoshape Streaming Services] "c:\documents and settings\babucarr\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Omnipage] c:\program files\scansoft\textbridgepro11.0\opware32.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250198392921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://watchimg3.slingbox.com//downloads/pc/WebSlingPlayer.cab?1.4.0.75
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\babucarr\applic~1\mozilla\firefox\profiles\4refbvqu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\babucarr\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\babucarr\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\babucarr\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\babucarr\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-7-14 315408]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-4 1684736]

=============== Created Last 30 ================

2010-07-14 22:12:18 0 ----a-w- c:\documents and settings\babucarr\defogger_reenable
2010-07-14 21:53:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-07-14 20:13:24 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-14 20:13:24 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-14 20:11:30 0 d-----w- c:\program files\Kaspersky Lab
2010-07-14 20:11:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-07-05 04:02:19 0 dc-h--w- c:\windows\ie8
2010-06-17 15:48:07 0 d-----w- c:\program files\Citrix
2010-06-17 15:47:37 72080 ----a-w- c:\documents and settings\babucarr\g2mdlhlpx.exe
2010-06-15 15:27:54 171 ----a-w- c:\windows\system32\MRT.INI

==================== Find3M ====================

2010-07-14 20:41:09 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 18:16:23.03 ===============


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:05 AM

Posted 14 July 2010 - 05:30 PM

Greetings

I still need this scan

" Scan With RKUnHooker "


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 global72

global72
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 14 July 2010 - 09:56 PM

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
ntkrnlpa.exe-->NtAdjustPrivilegesToken, Type: Address change 0x805EBB16-->AA0C858C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtClose, Type: Address change 0x805BC4DC-->AA0C8E0C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtConnectPort, Type: Address change 0x805A4596-->AA0C9922 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateEvent, Type: Address change 0x8060E634-->AA0C9E94 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateFile, Type: Address change 0x80579084-->AA0C90EE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x806237C8-->AA0C7436 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateMutant, Type: Address change 0x80616D76-->AA0C9D6C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateNamedPipeFile, Type: Address change 0x805790BE-->AA0C8192 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreatePort, Type: Address change 0x805A50B2-->AA0C9C28 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateSection, Type: Address change 0x805AB38E-->AA0C834E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateSemaphore, Type: Address change 0x80614734-->AA0C9FC6 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x805C39A6-->AA0CBC08 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x805D0FD2-->AA0C8AAA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtCreateWaitablePort, Type: Address change 0x805A50D6-->AA0C9CCA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtDebugActiveProcess, Type: Address change 0x8064320E-->AA0CB5FA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x80623C64-->AA0C79FA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x80623E34-->AA0C7D88 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtDeviceIoControlFile, Type: Address change 0x8057924A-->AA0C9576 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x805BDFB4-->AA0CC5CA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtEnumerateKey, Type: Address change 0x80624014-->AA0C7ECA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtEnumerateValueKey, Type: Address change 0x8062427E-->AA0C7F74 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtFsControlFile, Type: Address change 0x8057927E-->AA0C9382 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtLoadDriver, Type: Address change 0x8058413A-->AA0CB68C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtLoadKey, Type: Address change 0x806259EC-->AA0C7412 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtLoadKey2, Type: Address change 0x806255F8-->AA0C7424 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Address change 0x805B1FE6-->AA0CBCBC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtNotifyChangeKey, Type: Address change 0x806259B6-->AA0C80C0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenEvent, Type: Address change 0x8060E734-->AA0C9F36 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenFile, Type: Address change 0x8057A182-->AA0C8E8E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenKey, Type: Address change 0x80624BA6-->AA0C75DC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenMutant, Type: Address change 0x80616E4E-->AA0C9E04 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x805CB3FA-->AA0C8792 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenSection, Type: Address change 0x805AA3B2-->AA0CBC32 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenSemaphore, Type: Address change 0x8061482E-->AA0CA068 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x805CB686-->AA0C86B6 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtQueryKey, Type: Address change 0x80624EE8-->AA0C801E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtQueryMultipleValueKey, Type: Address change 0x80622916-->AA0C7C46 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtQuerySection, Type: Address change 0x805B858C-->AA0CBFD4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtQueryValueKey, Type: Address change 0x806219EC-->AA0C7896 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtQueueApcThread, Type: Address change 0x805D1230-->AA0CB922 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Address change 0x806231EA-->AA0C7B0E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Address change 0x8062589C-->AA0C72B0 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtReplyPort, Type: Address change 0x805A54B2-->AA0CA3F2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtReplyWaitReceivePort, Type: Address change 0x805A647A-->AA0CA2B8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtRequestWaitReplyPort, Type: Address change 0x805A2D3C-->AA0CB39A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Address change 0x806251A8-->AA0CEE2C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtResumeThread, Type: Address change 0x805D495A-->AA0CC4AC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSaveKey, Type: Address change 0x806252A4-->AA0C7248 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSecureConnectPort, Type: Address change 0x805A3D2A-->AA0C965C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x805D16F4-->AA0C8CC8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSetInformationToken, Type: Address change 0x805F9E7E-->AA0CAC4A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSetSecurityObject, Type: Address change 0x805C05DA-->AA0CB786 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSetSystemInformation, Type: Address change 0x8060F3EC-->AA0CC114 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80621D3A-->AA0C771E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSuspendProcess, Type: Address change 0x805D4A22-->AA0CC1F8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x805D4894-->AA0CC320 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtSystemDebugControl, Type: Address change 0x80617792-->AA0CB526 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x805D2982-->AA0C890A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x805D2B7C-->AA0C8860 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Address change 0x805B2DF4-->AA0CBE8A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x805B4378-->AA0C89EA [C:\WINDOWS\system32\DRIVERS\klif.sys]


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:05 AM

Posted 14 July 2010 - 10:10 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 global72

global72
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 17 July 2010 - 04:39 AM

ComboFix 10-07-15.05 - babucarr 07/17/2010 5:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.378 [GMT -4:00]
Running from: c:\documents and settings\babucarr\My Documents\combo1.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\babucarr\Application Data\0200000039b873ac691C.manifest
c:\documents and settings\babucarr\Application Data\0200000039b873ac691O.manifest
c:\documents and settings\babucarr\Application Data\0200000039b873ac691P.manifest
c:\documents and settings\babucarr\Application Data\0200000039b873ac691S.manifest
c:\documents and settings\babucarr\g2mdlhlpx.exe
c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-14 21:53 . 2010-07-14 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-07-14 14:05 . 2010-07-14 14:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-08 15:17 . 2010-07-08 15:17 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-08 15:16 . 2010-07-08 15:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-08 15:16 . 2010-07-08 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-08 15:15 . 2010-07-08 15:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-08 15:14 . 2010-07-14 21:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-07-08 15:14 . 2009-07-21 10:21 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-08 15:14 . 2010-07-14 21:53 -------- d-----w- c:\documents and settings\Administrator
2010-07-05 04:02 . 2010-07-05 04:10 -------- dc-h--w- c:\windows\ie8
2010-07-04 15:12 . 2010-07-06 14:25 -------- d-----w- c:\documents and settings\babucarr\Local Settings\Application Data\oaorderqx
2010-06-26 05:19 . 2010-06-26 12:37 -------- d-----w- c:\documents and settings\babucarr\Local Settings\Application Data\vebcfilyb
2010-06-23 05:32 . 2010-06-23 05:32 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb24.tmp.exe
2010-06-17 15:48 . 2010-07-04 18:43 -------- d-----w- c:\program files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 09:26 . 2010-07-14 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-07-14 21:53 . 2009-11-03 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-14 21:53 . 2009-11-04 06:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-14 20:41 . 2009-08-13 20:39 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-07-14 20:29 . 2010-07-14 20:29 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-14 20:29 . 2010-07-14 20:29 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-14 20:29 . 2010-07-14 20:29 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-14 20:29 . 2010-07-14 20:29 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-14 20:29 . 2010-07-14 20:13 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-14 20:29 . 2010-07-14 20:13 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-14 20:29 . 2010-07-14 20:29 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-14 20:29 . 2010-07-14 20:29 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-14 20:29 . 2010-07-14 20:29 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-14 20:29 . 2010-07-14 20:29 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-14 20:11 . 2010-07-14 20:11 -------- d-----w- c:\program files\Kaspersky Lab
2010-07-14 19:55 . 2009-11-20 04:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 19:25 . 2010-01-18 18:31 -------- d-----w- c:\documents and settings\babucarr\Application Data\Skype
2010-07-14 04:03 . 2010-01-18 18:34 -------- d-----w- c:\documents and settings\babucarr\Application Data\skypePM
2010-07-11 05:35 . 2009-09-17 04:41 -------- d-----w- c:\documents and settings\babucarr\Application Data\LimeWire
2010-07-04 18:38 . 2009-09-17 03:16 -------- d-----w- c:\documents and settings\babucarr\Application Data\MSN6
2010-06-26 06:55 . 2009-11-04 06:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 14:49 . 2009-11-10 18:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-25 15:10 . 2010-05-25 15:10 61440 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-444af32a-n\decora-sse.dll
2010-05-25 15:10 . 2010-05-25 15:10 503808 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-377d9fa7-n\msvcp71.dll
2010-05-25 15:10 . 2010-05-25 15:10 499712 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-377d9fa7-n\jmc.dll
2010-05-25 15:10 . 2010-05-25 15:10 348160 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-377d9fa7-n\msvcr71.dll
2010-05-25 15:10 . 2010-05-25 15:10 12800 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-444af32a-n\decora-d3d.dll
2010-05-06 10:41 . 2002-09-03 20:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 20:03 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-11-04 06:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-04 06:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2002-09-03 19:33 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Octoshape Streaming Services"="c:\documents and settings\babucarr\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-03-19 5248312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\System32\igfxpers.exe" [2007-03-30 138008]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Omnipage"="c:\program files\ScanSoft\TextBridgePro11.0\opware32.exe" [2002-05-14 49152]
"SkyTel"="SkyTel.EXE" [2007-11-20 1826816]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 9:48 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/4/2009 11:30 AM 1684736]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2010-07-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://watchimg3.slingbox.com//downloads/pc/WebSlingPlayer.cab?1.4.0.75
FF - ProfilePath - c:\documents and settings\babucarr\Application Data\Mozilla\Firefox\Profiles\4refbvqu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\babucarr\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\babucarr\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\babucarr\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 05:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2812)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\TextBridgePro11.0\ophook32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\System32\igfxsrvc.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-07-17 05:31:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-17 09:31

Pre-Run: 19,104,911,360 bytes free
Post-Run: 19,299,901,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - FD60630785D9A61D1B73FC0AEE8AC9A3


Computer seems fine, but have not used it much since.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:05 AM

Posted 17 July 2010 - 04:41 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
Folder::
c:\documents and settings\babucarr\Local Settings\Application Data\oaorderqx
c:\documents and settings\babucarr\Local Settings\Application Data\vebcfilyb

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


Edited by gringo_pr, 17 July 2010 - 04:51 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 global72

global72
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 17 July 2010 - 11:12 AM

ComboFix 10-07-15.05 - babucarr 07/17/2010 11:59:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.440 [GMT -4:00]
Running from: c:\documents and settings\babucarr\My Documents\combo1.exe
Command switches used :: c:\documents and settings\babucarr\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\babucarr\Local Settings\Application Data\oaorderqx
c:\documents and settings\babucarr\Local Settings\Application Data\vebcfilyb

.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-14 21:53 . 2010-07-14 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-07-14 14:05 . 2010-07-14 14:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-08 15:17 . 2010-07-08 15:17 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-08 15:16 . 2010-07-08 15:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-08 15:16 . 2010-07-08 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-08 15:15 . 2010-07-08 15:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-08 15:14 . 2010-07-14 21:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-07-08 15:14 . 2009-07-21 10:21 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-08 15:14 . 2010-07-14 21:53 -------- d-----w- c:\documents and settings\Administrator
2010-07-05 04:02 . 2010-07-05 04:10 -------- dc-h--w- c:\windows\ie8
2010-06-23 05:32 . 2010-06-23 05:32 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb24.tmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 09:26 . 2010-07-14 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-07-14 21:53 . 2009-11-03 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-14 21:53 . 2009-11-04 06:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-14 20:41 . 2009-08-13 20:39 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-07-14 20:29 . 2010-07-14 20:29 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-14 20:29 . 2010-07-14 20:29 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-14 20:29 . 2010-07-14 20:29 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-14 20:29 . 2010-07-14 20:29 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-14 20:29 . 2010-07-14 20:13 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-14 20:29 . 2010-07-14 20:13 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-14 20:29 . 2010-07-14 20:29 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-14 20:29 . 2010-07-14 20:29 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-14 20:29 . 2010-07-14 20:29 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-14 20:29 . 2010-07-14 20:29 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-14 20:11 . 2010-07-14 20:11 -------- d-----w- c:\program files\Kaspersky Lab
2010-07-14 19:55 . 2009-11-20 04:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 19:25 . 2010-01-18 18:31 -------- d-----w- c:\documents and settings\babucarr\Application Data\Skype
2010-07-14 04:03 . 2010-01-18 18:34 -------- d-----w- c:\documents and settings\babucarr\Application Data\skypePM
2010-07-11 05:35 . 2009-09-17 04:41 -------- d-----w- c:\documents and settings\babucarr\Application Data\LimeWire
2010-07-04 18:43 . 2010-06-17 15:48 -------- d-----w- c:\program files\Citrix
2010-07-04 18:38 . 2009-09-17 03:16 -------- d-----w- c:\documents and settings\babucarr\Application Data\MSN6
2010-06-26 06:55 . 2009-11-04 06:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 14:49 . 2009-11-10 18:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-25 15:10 . 2010-05-25 15:10 61440 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-444af32a-n\decora-sse.dll
2010-05-25 15:10 . 2010-05-25 15:10 503808 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-377d9fa7-n\msvcp71.dll
2010-05-25 15:10 . 2010-05-25 15:10 499712 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-377d9fa7-n\jmc.dll
2010-05-25 15:10 . 2010-05-25 15:10 348160 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-377d9fa7-n\msvcr71.dll
2010-05-25 15:10 . 2010-05-25 15:10 12800 ----a-w- c:\documents and settings\babucarr\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-444af32a-n\decora-d3d.dll
2010-05-06 10:41 . 2002-09-03 20:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 20:03 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-11-04 06:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-04 06:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2002-09-03 19:33 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Octoshape Streaming Services"="c:\documents and settings\babucarr\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-03-19 5248312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\System32\igfxpers.exe" [2007-03-30 138008]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Omnipage"="c:\program files\ScanSoft\TextBridgePro11.0\opware32.exe" [2002-05-14 49152]
"SkyTel"="SkyTel.EXE" [2007-11-20 1826816]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 9:48 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/4/2009 11:30 AM 1684736]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2010-07-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://watchimg3.slingbox.com//downloads/pc/WebSlingPlayer.cab?1.4.0.75
FF - ProfilePath - c:\documents and settings\babucarr\Application Data\Mozilla\Firefox\Profiles\4refbvqu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 12:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(1720)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\TextBridgePro11.0\ophook32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dfshim.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-17 12:08:36
ComboFix-quarantined-files.txt 2010-07-17 16:08
ComboFix2.txt 2010-07-17 09:31

Pre-Run: 19,184,218,112 bytes free
Post-Run: 19,164,942,336 bytes free

- - End Of File - - 201F3E059F3486A8808CA27884079C2C


I didn't have any problems running it, and computer is behaving.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:05 AM

Posted 17 July 2010 - 02:21 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..


Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 global72

global72
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 18 July 2010 - 06:10 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4323

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/18/2010 6:55:56 AM
mbam-log-2010-07-18 (06-55-56).txt

Scan type: Quick scan
Objects scanned: 135505
Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:06:56 AM, on 7/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Documents and Settings\babucarr\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\babucarr\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\babucarr\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1250198392921
O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://watchimg3.slingbox.com//downloads/p...er.cab?1.4.0.75
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10467 bytes


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:05 AM

Posted 18 July 2010 - 01:04 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
      O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
      O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\TextBridgePro11.0\opware32.exe
      O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
      O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
      O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\babucarr\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
      O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Report from ESET
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 global72

global72
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 19 July 2010 - 09:31 PM

I'm having trouble running the ESET online scanner. Everytime I click accept EULA and hit start, it take me back to that page again. Any thoughts.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:05 AM

Posted 19 July 2010 - 09:41 PM

Hello

try this one

:Kaspersky scan:
    Please go to Kaspersky website and perform an online antivirus scan.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 global72

global72
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 20 July 2010 - 04:41 AM

It will not let me use this one because I have Kaspersky virus protection installed in my computer. Any other program I can use?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users