18 replies to this topic

[dannytanner]

Hi... a few days ago I got the Google redirect virus, where clicking on Google search results would take me to random pages. I ran malwarebytes, which found 2 trojans and 9 rootkits (mostly TDSS), then quarantined & deleted those, but nothing changed. I was still seeing the virus.

So a few days ago I posted to another forum asking for help. While I've been waiting for a response, I've now acquired the "System Tool" virus, which prevents me from running malwarebytes at all because it keeps deleting mdam.exe. I went into msconfig and stopped the rogue service from running on startup, so I'm no longer seeing the annoying popups from System Tool. But it's still on my system and I still can't run mdam.exe. I even tried installing on a flash drive and mdam.exe got deleted from there as well.

This is easily the most frustrating computer issue I've ever had!

I'm on a Dell Inspiron 1300 running XP Home sp3. I do not have an install CD, and I'm unable to boot the computer in safe mode (it freezes at mup.sys).

As noted earlier, I cannot run malwarebytes. I did run Hijack This, and here's my log. I look forward to any assistance you can offer.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:55 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google

Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\NEE\mbamgui.exe /install /silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wogirubi.dll c:\windows\system32\sokodewu.dll
O21 - SSODL: gibonalet - {26f77a82-199c-419d-984f-c09db274f35d} - c:\windows\system32\sokodewu.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {26f77a82-199c-419d-984f-c09db274f35d} - c:\windows\system32\sokodewu.dll (file

missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe

(file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file

missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6144 bytes

[Tigger93]

Hi there.

Please open up notepad, click format and uncheck word wrap.

Download ComboFix from one of the locations below, and save it to your Desktop as something.exe
[indent] Link 1
Link 2 [/indent]Double click something.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

[dannytanner]

Ok, after I posted the original message I got Malware Bytes to run from the flash drive. So here are my Malware, Hijack This, and Combo Fix logs. Thanks!


Malwarebytes' Anti-Malware 1.41
Database version: 2932
Windows 5.1.2600 Service Pack 3

10/9/2009 4:33:12 PM
mbam-log-2009-10-09 (16-33-12).txt

Scan type: Quick Scan
Objects scanned: 117780
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\09899843 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\data[1].bin (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\09899843\09899843.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\others\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\scott\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\scott\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iexplore.exe (Backdoor.Bot) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:55 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\NEE\mbamgui.exe /install /silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wogirubi.dll c:\windows\system32\sokodewu.dll
O21 - SSODL: gibonalet - {26f77a82-199c-419d-984f-c09db274f35d} - c:\windows\system32\sokodewu.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {26f77a82-199c-419d-984f-c09db274f35d} - c:\windows\system32\sokodewu.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6144 bytes



ComboFix 09-10-08.04 - scott 10/09/2009 18:43.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.754 [GMT -5:00]
Running from: c:\documents and settings\scott\Desktop\something.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\autorun.inf
c:\windows\Installer\2dbe7cd.msp
c:\windows\Installer\2dbe7ce.msp
c:\windows\Installer\2dbe7cf.msp
c:\windows\Installer\2dbe7d0.msp
c:\windows\Installer\2dbe7d1.msp
c:\windows\Installer\2dbe7d2.msp
c:\windows\Installer\2dbe7d3.msp
c:\windows\Installer\2dbe7d4.msp
c:\windows\Installer\2dbe7d5.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\pujadoli.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-09 20:49 . 2009-10-09 20:49 -------- d-----w- c:\program files\Trend Micro
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\program files\NEE
2009-10-09 20:26 . 2009-10-09 20:26 -------- d-----w- c:\program files\NEWRANDOM
2009-10-09 19:59 . 2009-10-09 19:59 -------- d-sh--w- c:\documents and settings\others\IETldCache
2009-10-09 06:01 . 2009-10-09 06:01 -------- d-sh--w- c:\documents and settings\scott\PrivacIE
2009-10-06 19:45 . 2009-10-06 19:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 19:41 . 2009-10-06 19:41 -------- d-sh--w- c:\documents and settings\scott\IETldCache
2009-10-06 19:37 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-06 19:36 . 2009-10-06 19:36 -------- d-----w- c:\windows\ie8updates
2009-10-06 19:35 . 2009-07-19 23:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-06 19:35 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-06 19:35 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-06 19:35 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-06 19:35 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-06 19:35 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-06 19:33 . 2009-10-06 19:35 -------- dc-h--w- c:\windows\ie8
2009-10-06 05:53 . 2009-10-07 16:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-06 05:53 . 2009-10-07 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 05:36 . 2009-10-06 05:36 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-09-25 13:56 . 2009-09-25 14:00 29271931 ----a-w- c:\program files\FreeStudio.exe
2009-09-16 03:03 . 2009-09-16 03:03 -------- d-----w- c:\windows\cache-cache
2009-09-14 18:05 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 21:36 . 2009-03-29 15:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 02:57 . 2007-11-04 01:56 -------- d-----w- c:\program files\Trillian
2009-10-07 16:23 . 2006-01-14 14:52 -------- d-----w- c:\program files\Lavasoft
2009-10-07 16:20 . 2006-01-14 15:08 -------- d-----w- c:\documents and settings\scott\Application Data\Lavasoft
2009-10-07 00:07 . 2008-03-28 23:44 -------- d-----w- c:\documents and settings\scott\Application Data\BitTorrent
2009-10-06 22:18 . 2006-01-29 05:44 -------- d-----w- c:\documents and settings\scott\Application Data\AdobeUM
2009-10-06 19:26 . 2005-12-23 14:47 -------- d-----w- c:\program files\GoogleAFE
2009-10-01 14:56 . 2006-07-12 01:36 -------- d-----w- c:\program files\NINTENDO
2009-09-29 13:49 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2009-09-25 14:02 . 2008-04-14 04:32 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-09-25 14:01 . 2008-04-14 04:31 -------- d-----w- c:\program files\DVDVideoSoft
2009-09-10 19:54 . 2009-03-29 15:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-03-29 15:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 03:30 . 2006-01-15 17:26 17144 -c--a-w- c:\documents and settings\scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 16:50 . 2009-08-22 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2009-08-22 16:49 . 2009-04-30 04:43 -------- d-----w- c:\program files\Sierra Wireless
2009-08-22 16:49 . 2009-04-30 04:43 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-08-13 13:25 . 2008-07-15 01:06 -------- d-----w- c:\program files\Last.fm
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 18:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-20 18:11 . 2009-06-20 18:10 1878888 -c--a-w- c:\program files\install_flash_player.exe
2009-04-06 19:55 . 2009-04-06 19:52 118392240 -c--a-w- c:\program files\vegaspro80c-trial_enu.exe
2009-03-17 03:51 . 2009-03-17 03:51 4042648 -c--a-w- c:\program files\DivXCodec.exe
2009-03-17 02:49 . 2009-03-17 02:47 37452296 -c--a-w- c:\program files\Ad-AwareAE2009.exe
2008-11-08 19:16 . 2008-11-08 19:13 67167528 -c--a-w- c:\program files\iTunes801Setup.exe
2008-07-15 00:58 . 2008-07-15 00:58 5406994 -c--a-w- c:\program files\Last.fm-1.5.1.30182.exe
2008-04-14 04:17 . 2008-04-14 04:15 7252235 -c--a-w- c:\program files\FreeVideoToMp3Converter.exe
2008-03-28 21:43 . 2008-03-28 21:43 874448 -c--a-w- c:\program files\BitTorrent-6.0.3.exe
2008-03-01 01:51 . 2008-03-01 01:50 1206366 -c--a-w- c:\program files\winrar371.exe
2008-03-01 01:46 . 2008-03-01 01:46 4986104 -c--a-w- c:\program files\BitZipper503TrialSetup-en-pl-techpro.exe
2008-02-14 03:14 . 2008-02-14 03:12 9733451 -c--a-w- c:\program files\vlc-0.8.6d-win32.exe
2008-01-10 04:57 . 2008-01-10 04:57 4186768 -c--a-w- c:\program files\aim553599.exe
2007-12-31 18:50 . 2007-12-31 18:50 8759168 -c--a-w- c:\program files\winamp551_full_emusic-7plus_en-us.exe
2007-09-04 01:15 . 2007-05-28 23:41 3378248 -c--a-w- c:\program files\LimeWireWin.exe
2007-07-16 11:49 . 2007-07-16 11:48 9679815 -c--a-w- c:\program files\vlc-0.8.6c-win32.exe
2007-05-13 23:23 . 2007-05-13 23:23 3096576 -c--a-w- c:\program files\launchpadremoval.exe
2006-12-06 01:35 . 2006-12-06 01:33 9918872 -c--a-w- c:\program files\WMEncoder.exe
2006-12-06 01:32 . 2006-12-06 01:32 1475376 -c--a-w- c:\program files\GenuineCheck.exe
2006-12-06 01:32 . 2006-12-06 01:32 878384 -c--a-w- c:\program files\WGAPluginInstall.exe
2006-12-06 00:47 . 2006-12-06 00:47 4479257 -c--a-w- c:\program files\allok_movconverter.exe
2006-12-06 00:29 . 2006-12-06 00:28 9429960 -c--a-w- c:\program files\mediaconverter.exe
2006-05-13 16:22 . 2006-05-13 16:22 35640 -c--a-w- c:\program files\VirusScan.zip
2006-05-13 16:14 . 2006-05-13 16:13 22647 -c--a-w- c:\program files\mccleanup.log
2006-05-13 16:13 . 2006-05-13 16:12 295520 -c--a-w- c:\program files\MSKCleanupTool.exe
2006-04-06 23:37 . 2006-04-06 23:36 855893 -c--a-w- c:\program files\FLVplayer_v0.0.4.exe
2006-04-06 23:30 . 2006-04-06 23:27 2871488 -c--a-w- c:\program files\Shockwave_Installer_Slim.exe
2006-04-06 23:19 . 2006-04-06 23:23 1418940 -c--a-w- c:\program files\2004_dynamic_flv_player_v2.3.zip
2006-01-14 14:49 . 2006-01-14 14:48 2855080 -c--a-w- c:\program files\aawsepersonal.exe
2006-01-14 13:26 . 2006-01-14 13:25 5225384 -c--a-w- c:\program files\Firefox Setup 1.5.exe
2003-04-22 14:46 . 2003-04-22 14:46 2719744 -c----w- c:\program files\aiodrv.msi
2003-04-22 14:42 . 2003-04-22 14:42 2588672 -c----w- c:\program files\aiosw.msi
2003-04-22 14:24 . 2003-04-22 14:24 16606 -c--a-w- c:\program files\hpomdl01.dat
2003-04-22 14:23 . 2003-04-22 14:23 267 -c--a-w- c:\program files\readme.html
2003-04-09 22:19 . 2003-04-09 22:19 2848 -c--a-w- c:\program files\hpound08.inf
2003-04-09 22:19 . 2003-04-09 22:19 14157 -c--a-w- c:\program files\hpousc08.inf
2003-04-09 22:00 . 2003-04-09 22:00 2889 -c--a-w- c:\program files\hpousb08.inf
2003-04-09 22:00 . 2003-04-09 22:00 4715 -c--a-w- c:\program files\hpoglu08.inf
2003-03-20 20:20 . 2003-03-20 20:20 22523 -c--a-w- c:\program files\HPZius12.cat
2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\hpzist12.cat
2003-03-20 20:20 . 2003-03-20 20:20 24728 -c--a-w- c:\program files\HPZipr12.cat
2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\HPZid412.cat
2003-03-20 20:20 . 2003-03-20 20:20 21641 -c--a-w- c:\program files\HPOunp08.cat
2003-03-20 20:20 . 2003-03-20 20:20 24285 -c--a-w- c:\program files\hposcu08.cat
2003-03-20 20:20 . 2003-03-20 20:20 205503 -c--a-w- c:\program files\hpoprn08.cat
2003-03-10 01:30 . 2003-03-10 01:30 3667 -c--a-w- c:\program files\hpzist12.inf
2003-03-10 01:30 . 2003-03-10 01:30 184320 -c--a-w- c:\program files\hpzscr07.dll
2003-03-10 01:30 . 2003-03-10 01:30 14285 -c--a-w- c:\program files\hpzius12.inf
2003-03-10 01:30 . 2003-03-10 01:30 10325 -c--a-w- c:\program files\hpzipr12.inf
2003-03-10 01:30 . 2003-03-10 01:30 63562 -c--a-w- c:\program files\hposcu08.inf
2003-03-10 01:30 . 2003-03-10 01:30 51266 -c--a-w- c:\program files\hpoprn08.inf
2003-03-10 01:30 . 2003-03-10 01:30 3898 -c--a-w- c:\program files\hpounp08.inf
2003-03-10 01:30 . 2003-03-10 01:30 33952 -c--a-w- c:\program files\hpzid412.inf
2003-03-10 01:30 . 2003-03-10 01:30 274432 -c--a-w- c:\program files\hpzglu07.exe
2003-03-10 01:30 . 2003-03-10 01:30 237568 -c--a-w- c:\program files\hpzc3212.dll
2003-03-10 01:30 . 2003-03-10 01:30 23186 -c--a-w- c:\program files\hpzcin06.ex_
2002-09-09 22:48 . 2002-09-09 22:48 22608 -c--a-w- c:\program files\usbprint.sys
2002-09-09 22:48 . 2002-09-09 22:48 12288 -c--a-w- c:\program files\usbmon.dll
2002-09-09 22:47 . 2002-09-09 22:47 254005 -c--a-w- c:\program files\msvcrt.dll
2002-09-09 22:47 . 2002-09-09 22:47 70656 -c--a-w- c:\program files\msvcirt.dll
2002-09-09 22:47 . 2002-09-09 22:47 55155 -c--a-w- c:\program files\hpzusb00.sy_
2002-09-09 22:47 . 2002-09-09 22:47 5705 -c--a-w- c:\program files\hpzuci02.dl_
2002-09-09 22:47 . 2002-09-09 22:47 25639 -c--a-w- c:\program files\hpzpom04.dl_
2002-09-09 22:47 . 2002-09-09 22:47 212992 -c--a-w- c:\program files\hpzpnp07.dll
2002-09-09 22:46 . 2002-09-09 22:46 49212 -c--a-w- c:\program files\hpzjvp01.dll
2002-09-09 22:46 . 2002-09-09 22:46 249913 -c--a-w- c:\program files\hpzjut01.dll
2002-09-09 22:46 . 2002-09-09 22:46 417849 -c--a-w- c:\program files\hpzjpp01.dll
2002-09-09 22:46 . 2002-09-09 22:46 28722 -c--a-w- c:\program files\hpzjlog.dll
2002-09-09 22:46 . 2002-09-09 22:46 52552 -c--a-w- c:\program files\hpziou01.dl_
2002-09-09 22:46 . 2002-09-09 22:46 46017 -c--a-w- c:\program files\hpzion00.sy_
2002-09-06 14:54 . 2002-09-06 14:54 995383 -c--a-w- c:\program files\MFC42.DLL
2006-01-16 22:30 . 2006-01-15 17:25 56 --sh--r- c:\windows\system32\6DD3891BC4.sys
2006-01-16 22:30 . 2006-01-15 17:25 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-09 19:42 . 2009-07-09 19:42 112640 --sha-w- c:\windows\system32\nukizani.dll
2009-07-09 19:47 . 2009-07-09 19:47 1011259 --sha-w- c:\windows\system32\visutime.exe
2009-07-09 19:47 . 2009-07-09 19:47 60416 --sha-w- c:\windows\system32\wazuhope.dll
2009-07-09 19:42 . 2009-07-09 19:42 112640 --sha-w- c:\windows\system32\wogirubi.dll
2009-07-09 19:47 . 2009-07-09 19:47 88576 --sha-w- c:\windows\system32\yalepefo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6b707b53-5f78-4714-a9c3-b005dcd83d6c}]
2009-07-09 19:42 112640 --sha-w- c:\windows\system32\nukizani.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wogirubi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wogirubi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\scott\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2007-07-12 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4175832606.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\scott\Application Data\Mozilla\Firefox\Profiles\oiyyc4by.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - e:\malwarebytes' anti-malware\mbam.exe
HKLM-Run-bedazepufo - pujadoli.dll
SharedTaskScheduler-{26f77a82-199c-419d-984f-c09db274f35d} - c:\windows\system32\sokodewu.dll
SSODL-gibonalet-{26f77a82-199c-419d-984f-c09db274f35d} - c:\windows\system32\sokodewu.dll
AddRemove-Mcafee SecurityCenter - c:\progra~1\mcafee.com\shared\mcappins.exe
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
AddRemove-VirusScan Online - c:\progra~1\mcafee.com\shared\mcappins.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\wogirubi.dll
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
.
**************************************************************************
.
Completion time: 2009-10-09 19:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-09 23:59

Pre-Run: 598,970,368 bytes free
Post-Run: 670,433,280 bytes free

267 --- E O F --- 2009-10-06 23:21

[Tigger93]

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\windows\system32\nukizani.dll
c:\windows\system32\visutime.exe
c:\windows\system32\wazuhope.dll
c:\windows\system32\wogirubi.dll
c:\windows\system32\yalepefo.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.

[dannytanner]

I just ran Combofix and HijackThis as requested. It seems the Google redirect virus isn't happening at the moment. Things seem to be more running normally, although if I open System Configuration I still see the System Tool virus item (09899843) in the Startup menu (it's not enabled.)

Here are the latest ComboFix and HijackThis logs.

ComboFix 09-10-08.04 - scott 10/09/2009 21:51.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.738 [GMT -5:00]
Running from: c:\documents and settings\scott\Desktop\something.exe
Command switches used :: c:\documents and settings\scott\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FILE ::
"c:\windows\system32\nukizani.dll"
"c:\windows\system32\visutime.exe"
"c:\windows\system32\wazuhope.dll"
"c:\windows\system32\wogirubi.dll"
"c:\windows\system32\yalepefo.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nukizani.dll
c:\windows\system32\visutime.exe
c:\windows\system32\wazuhope.dll
c:\windows\system32\wogirubi.dll
c:\windows\system32\yalepefo.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-09 20:49 . 2009-10-09 20:49 -------- d-----w- c:\program files\Trend Micro
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\program files\NEE
2009-10-09 20:26 . 2009-10-09 20:26 -------- d-----w- c:\program files\NEWRANDOM
2009-10-09 19:59 . 2009-10-09 19:59 -------- d-sh--w- c:\documents and settings\others\IETldCache
2009-10-09 06:01 . 2009-10-09 06:01 -------- d-sh--w- c:\documents and settings\scott\PrivacIE
2009-10-06 19:45 . 2009-10-06 19:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 19:41 . 2009-10-06 19:41 -------- d-sh--w- c:\documents and settings\scott\IETldCache
2009-10-06 19:37 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-06 19:36 . 2009-10-06 19:36 -------- d-----w- c:\windows\ie8updates
2009-10-06 19:35 . 2009-07-19 23:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-06 19:35 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-06 19:35 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-06 19:35 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-06 19:35 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-06 19:35 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-06 19:33 . 2009-10-06 19:35 -------- dc-h--w- c:\windows\ie8
2009-10-06 05:53 . 2009-10-07 16:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-06 05:53 . 2009-10-07 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 05:36 . 2009-10-06 05:36 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-09-25 13:56 . 2009-09-25 14:00 29271931 ----a-w- c:\program files\FreeStudio.exe
2009-09-16 03:03 . 2009-09-16 03:03 -------- d-----w- c:\windows\cache-cache
2009-09-14 18:05 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 21:36 . 2009-03-29 15:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 02:57 . 2007-11-04 01:56 -------- d-----w- c:\program files\Trillian
2009-10-07 16:23 . 2006-01-14 14:52 -------- d-----w- c:\program files\Lavasoft
2009-10-07 16:20 . 2006-01-14 15:08 -------- d-----w- c:\documents and settings\scott\Application Data\Lavasoft
2009-10-07 00:07 . 2008-03-28 23:44 -------- d-----w- c:\documents and settings\scott\Application Data\BitTorrent
2009-10-06 22:18 . 2006-01-29 05:44 -------- d-----w- c:\documents and settings\scott\Application Data\AdobeUM
2009-10-06 19:26 . 2005-12-23 14:47 -------- d-----w- c:\program files\GoogleAFE
2009-10-01 14:56 . 2006-07-12 01:36 -------- d-----w- c:\program files\NINTENDO
2009-09-29 13:49 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2009-09-25 14:02 . 2008-04-14 04:32 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-09-25 14:01 . 2008-04-14 04:31 -------- d-----w- c:\program files\DVDVideoSoft
2009-09-10 19:54 . 2009-03-29 15:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-03-29 15:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 03:30 . 2006-01-15 17:26 17144 -c--a-w- c:\documents and settings\scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 16:50 . 2009-08-22 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2009-08-22 16:49 . 2009-04-30 04:43 -------- d-----w- c:\program files\Sierra Wireless
2009-08-22 16:49 . 2009-04-30 04:43 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-08-13 13:25 . 2008-07-15 01:06 -------- d-----w- c:\program files\Last.fm
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 18:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-20 18:11 . 2009-06-20 18:10 1878888 -c--a-w- c:\program files\install_flash_player.exe
2009-04-06 19:55 . 2009-04-06 19:52 118392240 -c--a-w- c:\program files\vegaspro80c-trial_enu.exe
2009-03-17 03:51 . 2009-03-17 03:51 4042648 -c--a-w- c:\program files\DivXCodec.exe
2009-03-17 02:49 . 2009-03-17 02:47 37452296 -c--a-w- c:\program files\Ad-AwareAE2009.exe
2008-11-08 19:16 . 2008-11-08 19:13 67167528 -c--a-w- c:\program files\iTunes801Setup.exe
2008-07-15 00:58 . 2008-07-15 00:58 5406994 -c--a-w- c:\program files\Last.fm-1.5.1.30182.exe
2008-04-14 04:17 . 2008-04-14 04:15 7252235 -c--a-w- c:\program files\FreeVideoToMp3Converter.exe
2008-03-28 21:43 . 2008-03-28 21:43 874448 -c--a-w- c:\program files\BitTorrent-6.0.3.exe
2008-03-01 01:51 . 2008-03-01 01:50 1206366 -c--a-w- c:\program files\winrar371.exe
2008-03-01 01:46 . 2008-03-01 01:46 4986104 -c--a-w- c:\program files\BitZipper503TrialSetup-en-pl-techpro.exe
2008-02-14 03:14 . 2008-02-14 03:12 9733451 -c--a-w- c:\program files\vlc-0.8.6d-win32.exe
2008-01-10 04:57 . 2008-01-10 04:57 4186768 -c--a-w- c:\program files\aim553599.exe
2007-12-31 18:50 . 2007-12-31 18:50 8759168 -c--a-w- c:\program files\winamp551_full_emusic-7plus_en-us.exe
2007-09-04 01:15 . 2007-05-28 23:41 3378248 -c--a-w- c:\program files\LimeWireWin.exe
2007-07-16 11:49 . 2007-07-16 11:48 9679815 -c--a-w- c:\program files\vlc-0.8.6c-win32.exe
2007-05-13 23:23 . 2007-05-13 23:23 3096576 -c--a-w- c:\program files\launchpadremoval.exe
2006-12-06 01:35 . 2006-12-06 01:33 9918872 -c--a-w- c:\program files\WMEncoder.exe
2006-12-06 01:32 . 2006-12-06 01:32 1475376 -c--a-w- c:\program files\GenuineCheck.exe
2006-12-06 01:32 . 2006-12-06 01:32 878384 -c--a-w- c:\program files\WGAPluginInstall.exe
2006-12-06 00:47 . 2006-12-06 00:47 4479257 -c--a-w- c:\program files\allok_movconverter.exe
2006-12-06 00:29 . 2006-12-06 00:28 9429960 -c--a-w- c:\program files\mediaconverter.exe
2006-05-13 16:22 . 2006-05-13 16:22 35640 -c--a-w- c:\program files\VirusScan.zip
2006-05-13 16:14 . 2006-05-13 16:13 22647 -c--a-w- c:\program files\mccleanup.log
2006-05-13 16:13 . 2006-05-13 16:12 295520 -c--a-w- c:\program files\MSKCleanupTool.exe
2006-04-06 23:37 . 2006-04-06 23:36 855893 -c--a-w- c:\program files\FLVplayer_v0.0.4.exe
2006-04-06 23:30 . 2006-04-06 23:27 2871488 -c--a-w- c:\program files\Shockwave_Installer_Slim.exe
2006-04-06 23:19 . 2006-04-06 23:23 1418940 -c--a-w- c:\program files\2004_dynamic_flv_player_v2.3.zip
2006-01-14 14:49 . 2006-01-14 14:48 2855080 -c--a-w- c:\program files\aawsepersonal.exe
2006-01-14 13:26 . 2006-01-14 13:25 5225384 -c--a-w- c:\program files\Firefox Setup 1.5.exe
2003-04-22 14:46 . 2003-04-22 14:46 2719744 -c----w- c:\program files\aiodrv.msi
2003-04-22 14:42 . 2003-04-22 14:42 2588672 -c----w- c:\program files\aiosw.msi
2003-04-22 14:24 . 2003-04-22 14:24 16606 -c--a-w- c:\program files\hpomdl01.dat
2003-04-22 14:23 . 2003-04-22 14:23 267 -c--a-w- c:\program files\readme.html
2003-04-09 22:19 . 2003-04-09 22:19 2848 -c--a-w- c:\program files\hpound08.inf
2003-04-09 22:19 . 2003-04-09 22:19 14157 -c--a-w- c:\program files\hpousc08.inf
2003-04-09 22:00 . 2003-04-09 22:00 2889 -c--a-w- c:\program files\hpousb08.inf
2003-04-09 22:00 . 2003-04-09 22:00 4715 -c--a-w- c:\program files\hpoglu08.inf
2003-03-20 20:20 . 2003-03-20 20:20 22523 -c--a-w- c:\program files\HPZius12.cat
2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\hpzist12.cat
2003-03-20 20:20 . 2003-03-20 20:20 24728 -c--a-w- c:\program files\HPZipr12.cat
2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\HPZid412.cat
2003-03-20 20:20 . 2003-03-20 20:20 21641 -c--a-w- c:\program files\HPOunp08.cat
2003-03-20 20:20 . 2003-03-20 20:20 24285 -c--a-w- c:\program files\hposcu08.cat
2003-03-20 20:20 . 2003-03-20 20:20 205503 -c--a-w- c:\program files\hpoprn08.cat
2003-03-10 01:30 . 2003-03-10 01:30 3667 -c--a-w- c:\program files\hpzist12.inf
2003-03-10 01:30 . 2003-03-10 01:30 184320 -c--a-w- c:\program files\hpzscr07.dll
2003-03-10 01:30 . 2003-03-10 01:30 14285 -c--a-w- c:\program files\hpzius12.inf
2003-03-10 01:30 . 2003-03-10 01:30 10325 -c--a-w- c:\program files\hpzipr12.inf
2003-03-10 01:30 . 2003-03-10 01:30 63562 -c--a-w- c:\program files\hposcu08.inf
2003-03-10 01:30 . 2003-03-10 01:30 51266 -c--a-w- c:\program files\hpoprn08.inf
2003-03-10 01:30 . 2003-03-10 01:30 3898 -c--a-w- c:\program files\hpounp08.inf
2003-03-10 01:30 . 2003-03-10 01:30 33952 -c--a-w- c:\program files\hpzid412.inf
2003-03-10 01:30 . 2003-03-10 01:30 274432 -c--a-w- c:\program files\hpzglu07.exe
2003-03-10 01:30 . 2003-03-10 01:30 237568 -c--a-w- c:\program files\hpzc3212.dll
2003-03-10 01:30 . 2003-03-10 01:30 23186 -c--a-w- c:\program files\hpzcin06.ex_
2002-09-09 22:48 . 2002-09-09 22:48 22608 -c--a-w- c:\program files\usbprint.sys
2002-09-09 22:48 . 2002-09-09 22:48 12288 -c--a-w- c:\program files\usbmon.dll
2002-09-09 22:47 . 2002-09-09 22:47 254005 -c--a-w- c:\program files\msvcrt.dll
2002-09-09 22:47 . 2002-09-09 22:47 70656 -c--a-w- c:\program files\msvcirt.dll
2002-09-09 22:47 . 2002-09-09 22:47 55155 -c--a-w- c:\program files\hpzusb00.sy_
2002-09-09 22:47 . 2002-09-09 22:47 5705 -c--a-w- c:\program files\hpzuci02.dl_
2002-09-09 22:47 . 2002-09-09 22:47 25639 -c--a-w- c:\program files\hpzpom04.dl_
2002-09-09 22:47 . 2002-09-09 22:47 212992 -c--a-w- c:\program files\hpzpnp07.dll
2002-09-09 22:46 . 2002-09-09 22:46 49212 -c--a-w- c:\program files\hpzjvp01.dll
2002-09-09 22:46 . 2002-09-09 22:46 249913 -c--a-w- c:\program files\hpzjut01.dll
2002-09-09 22:46 . 2002-09-09 22:46 417849 -c--a-w- c:\program files\hpzjpp01.dll
2002-09-09 22:46 . 2002-09-09 22:46 28722 -c--a-w- c:\program files\hpzjlog.dll
2002-09-09 22:46 . 2002-09-09 22:46 52552 -c--a-w- c:\program files\hpziou01.dl_
2002-09-09 22:46 . 2002-09-09 22:46 46017 -c--a-w- c:\program files\hpzion00.sy_
2002-09-06 14:54 . 2002-09-06 14:54 995383 -c--a-w- c:\program files\MFC42.DLL
2006-01-16 22:30 . 2006-01-15 17:25 56 --sh--r- c:\windows\system32\6DD3891BC4.sys
2006-01-16 22:30 . 2006-01-15 17:25 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-09_23.56.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 18:51 . 2009-10-10 02:42 72134 c:\windows\system32\perfc009.dat
- 2004-08-10 18:51 . 2009-10-09 23:47 72134 c:\windows\system32\perfc009.dat
+ 2004-08-10 18:51 . 2009-10-10 02:42 443034 c:\windows\system32\perfh009.dat
- 2004-08-10 18:51 . 2009-10-09 23:47 443034 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"bedazepufo"="pujadoli.dll" [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\scott\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2007-07-12 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4175832606.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\scott\Application Data\Mozilla\Firefox\Profiles\oiyyc4by.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{6b707b53-5f78-4714-a9c3-b005dcd83d6c} - nukizani.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 21:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
.
**************************************************************************
.
Completion time: 2009-10-10 22:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-10 03:02
ComboFix2.txt 2009-10-10 00:01

Pre-Run: 673,746,944 bytes free
Post-Run: 628,899,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

259 --- E O F --- 2009-10-06 23:21



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:52 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [bedazepufo] Rundll32.exe "pujadoli.dll",s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5241 bytes

[Tigger93]

Go start > run and type in combofix /u and press OK.

Please update Malwarebytes, run an quick scan and post the new log.

[dannytanner]

Here's the latest malware bytes log. It found 2 items, which I removed.



Malwarebytes' Anti-Malware 1.41
Database version: 2940
Windows 5.1.2600 Service Pack 3

10/10/2009 9:09:11 PM
mbam-log-2009-10-10 (21-09-11).txt

Scan type: Quick Scan
Objects scanned: 113684
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bedazepufo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Tigger93]

Everything looks good now. Are you still having any problems?

[dannytanner]

Things seem to be fixed, thanks!

The only odd thing is that 09899843.exe still appears in System Configuration under the list of Startup Items (currently the box is not checked.) Does that matter?

I assume if I were to check that box and then restart Windows, it would tell me the item can't be found, but I don't want to take any chances.

[Tigger93]

Are you able to delete that file?

[dannytanner]

I can't seem to locate it in a search. I'm assuming/hoping it no longer exists.

[Tigger93]

Could you please post a screenshot of where you are seeing that file?

[dannytanner]

Here's how the file appears in the system configuration startup items list (image attached). I can't find the file on my hard drive.

Attached Files

•  systconfig.JPG   60.73K   4 downloads

[Tigger93]

Let's check to make sure it's gone.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  C:\Documents and Settings\All Users\Application Data\09899843\
  
  :commands
  [EmptyTemp]

  
  
• Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[dannytanner]

When I attempt to run this application I get an error that says:

C:\DOCUME~1\scott\Desktop\OTMOVE~1.EXE
The NTVDM CPU has encountered an illegal instruction.

Then it asks me to Close or Ignore. If I ignore, the command window stays open but nothing happens.

[Tigger93]

That's odd.

Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

Folder::
C:\Documents and Settings\All Users\Application Data\09899843\

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.

[dannytanner]

Here are the combofix and hijackthis logs.

ComboFix 09-10-14.06 - scott 10/14/2009 22:45.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.465 [GMT -5:00]
Running from: c:\documents and settings\scott\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\scott\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\8b545.msp

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-14 15:18 . 2009-10-14 18:59 -------- d-----w- C:\548bb66f753ea159e3c5b3c736
2009-10-14 00:28 . 2009-10-14 00:28 -------- d-----w- c:\program files\BitTorrent
2009-10-14 00:26 . 2009-10-14 00:26 3004344 ----a-w- c:\program files\BitTorrent-6.2.exe
2009-10-09 20:49 . 2009-10-09 20:49 -------- d-----w- c:\program files\Trend Micro
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\program files\NEE
2009-10-09 20:26 . 2009-10-09 20:26 -------- d-----w- c:\program files\NEWRANDOM
2009-10-09 19:59 . 2009-10-09 19:59 -------- d-sh--w- c:\documents and settings\others\IETldCache
2009-10-09 06:01 . 2009-10-09 06:01 -------- d-sh--w- c:\documents and settings\scott\PrivacIE
2009-10-06 19:45 . 2009-10-06 19:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 19:41 . 2009-10-06 19:41 -------- d-sh--w- c:\documents and settings\scott\IETldCache
2009-10-06 19:37 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-06 19:36 . 2009-10-06 19:36 -------- d-----w- c:\windows\ie8updates
2009-10-06 19:35 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-06 19:35 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-06 19:35 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-06 19:35 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-06 19:35 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-06 19:35 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-06 19:33 . 2009-10-06 19:35 -------- dc-h--w- c:\windows\ie8
2009-10-06 05:53 . 2009-10-07 16:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-06 05:53 . 2009-10-07 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 05:36 . 2009-10-06 05:36 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-09-25 13:56 . 2009-09-25 14:00 29271931 ----a-w- c:\program files\FreeStudio.exe
2009-09-16 03:03 . 2009-09-16 03:03 -------- d-----w- c:\windows\cache-cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 20:24 . 2007-11-04 01:56 -------- d-----w- c:\program files\Trillian
2009-10-14 01:25 . 2008-03-28 23:44 -------- d-----w- c:\documents and settings\scott\Application Data\BitTorrent
2009-10-14 00:27 . 2008-03-01 01:47 -------- d-----w- c:\documents and settings\scott\Application Data\BitZipper
2009-10-09 21:36 . 2009-03-29 15:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 16:23 . 2006-01-14 14:52 -------- d-----w- c:\program files\Lavasoft
2009-10-07 16:20 . 2006-01-14 15:08 -------- d-----w- c:\documents and settings\scott\Application Data\Lavasoft
2009-10-06 22:18 . 2006-01-29 05:44 -------- d-----w- c:\documents and settings\scott\Application Data\AdobeUM
2009-10-06 19:26 . 2005-12-23 14:47 -------- d-----w- c:\program files\GoogleAFE
2009-10-01 14:56 . 2006-07-12 01:36 -------- d-----w- c:\program files\NINTENDO
2009-09-29 13:49 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2009-09-25 14:02 . 2008-04-14 04:32 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-09-25 14:01 . 2008-04-14 04:31 -------- d-----w- c:\program files\DVDVideoSoft
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-03-29 15:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-03-29 15:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 03:30 . 2006-01-15 17:26 17144 -c--a-w- c:\documents and settings\scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 16:50 . 2009-08-22 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2009-08-22 16:49 . 2009-04-30 04:43 -------- d-----w- c:\program files\Sierra Wireless
2009-08-22 16:49 . 2009-04-30 04:43 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2004-08-10 18:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:22 . 2004-08-10 18:51 1435648 ----a-w- c:\windows\system32\query.dll
2009-06-20 18:11 . 2009-06-20 18:10 1878888 -c--a-w- c:\program files\install_flash_player.exe
2009-04-06 19:55 . 2009-04-06 19:52 118392240 -c--a-w- c:\program files\vegaspro80c-trial_enu.exe
2009-03-17 03:51 . 2009-03-17 03:51 4042648 -c--a-w- c:\program files\DivXCodec.exe
2009-03-17 02:49 . 2009-03-17 02:47 37452296 -c--a-w- c:\program files\Ad-AwareAE2009.exe
2008-11-08 19:16 . 2008-11-08 19:13 67167528 -c--a-w- c:\program files\iTunes801Setup.exe
2008-07-15 00:58 . 2008-07-15 00:58 5406994 -c--a-w- c:\program files\Last.fm-1.5.1.30182.exe
2008-04-14 04:17 . 2008-04-14 04:15 7252235 -c--a-w- c:\program files\FreeVideoToMp3Converter.exe
2008-03-28 21:43 . 2008-03-28 21:43 874448 -c--a-w- c:\program files\BitTorrent-6.0.3.exe
2008-03-01 01:51 . 2008-03-01 01:50 1206366 -c--a-w- c:\program files\winrar371.exe
2008-03-01 01:46 . 2008-03-01 01:46 4986104 -c--a-w- c:\program files\BitZipper503TrialSetup-en-pl-techpro.exe
2008-02-14 03:14 . 2008-02-14 03:12 9733451 -c--a-w- c:\program files\vlc-0.8.6d-win32.exe
2008-01-10 04:57 . 2008-01-10 04:57 4186768 -c--a-w- c:\program files\aim553599.exe
2007-12-31 18:50 . 2007-12-31 18:50 8759168 -c--a-w- c:\program files\winamp551_full_emusic-7plus_en-us.exe
2007-09-04 01:15 . 2007-05-28 23:41 3378248 -c--a-w- c:\program files\LimeWireWin.exe
2007-07-16 11:49 . 2007-07-16 11:48 9679815 -c--a-w- c:\program files\vlc-0.8.6c-win32.exe
2007-05-13 23:23 . 2007-05-13 23:23 3096576 -c--a-w- c:\program files\launchpadremoval.exe
2006-12-06 01:35 . 2006-12-06 01:33 9918872 -c--a-w- c:\program files\WMEncoder.exe
2006-12-06 01:32 . 2006-12-06 01:32 1475376 -c--a-w- c:\program files\GenuineCheck.exe
2006-12-06 01:32 . 2006-12-06 01:32 878384 -c--a-w- c:\program files\WGAPluginInstall.exe
2006-12-06 00:47 . 2006-12-06 00:47 4479257 -c--a-w- c:\program files\allok_movconverter.exe
2006-12-06 00:29 . 2006-12-06 00:28 9429960 -c--a-w- c:\program files\mediaconverter.exe
2006-05-13 16:22 . 2006-05-13 16:22 35640 -c--a-w- c:\program files\VirusScan.zip
2006-05-13 16:14 . 2006-05-13 16:13 22647 -c--a-w- c:\program files\mccleanup.log
2006-05-13 16:13 . 2006-05-13 16:12 295520 -c--a-w- c:\program files\MSKCleanupTool.exe
2006-04-06 23:37 . 2006-04-06 23:36 855893 -c--a-w- c:\program files\FLVplayer_v0.0.4.exe
2006-04-06 23:30 . 2006-04-06 23:27 2871488 -c--a-w- c:\program files\Shockwave_Installer_Slim.exe
2006-04-06 23:19 . 2006-04-06 23:23 1418940 -c--a-w- c:\program files\2004_dynamic_flv_player_v2.3.zip
2006-01-14 14:49 . 2006-01-14 14:48 2855080 -c--a-w- c:\program files\aawsepersonal.exe
2006-01-14 13:26 . 2006-01-14 13:25 5225384 -c--a-w- c:\program files\Firefox Setup 1.5.exe
2003-04-22 14:46 . 2003-04-22 14:46 2719744 -c----w- c:\program files\aiodrv.msi
2003-04-22 14:42 . 2003-04-22 14:42 2588672 -c----w- c:\program files\aiosw.msi
2003-04-22 14:24 . 2003-04-22 14:24 16606 -c--a-w- c:\program files\hpomdl01.dat
2003-04-22 14:23 . 2003-04-22 14:23 267 -c--a-w- c:\program files\readme.html
2003-04-09 22:19 . 2003-04-09 22:19 2848 -c--a-w- c:\program files\hpound08.inf
2003-04-09 22:19 . 2003-04-09 22:19 14157 -c--a-w- c:\program files\hpousc08.inf
2003-04-09 22:00 . 2003-04-09 22:00 2889 -c--a-w- c:\program files\hpousb08.inf
2003-04-09 22:00 . 2003-04-09 22:00 4715 -c--a-w- c:\program files\hpoglu08.inf
2003-03-20 20:20 . 2003-03-20 20:20 22523 -c--a-w- c:\program files\HPZius12.cat
2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\hpzist12.cat
2003-03-20 20:20 . 2003-03-20 20:20 24728 -c--a-w- c:\program files\HPZipr12.cat
2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\HPZid412.cat
2003-03-20 20:20 . 2003-03-20 20:20 21641 -c--a-w- c:\program files\HPOunp08.cat
2003-03-20 20:20 . 2003-03-20 20:20 24285 -c--a-w- c:\program files\hposcu08.cat
2003-03-20 20:20 . 2003-03-20 20:20 205503 -c--a-w- c:\program files\hpoprn08.cat
2003-03-10 01:30 . 2003-03-10 01:30 3667 -c--a-w- c:\program files\hpzist12.inf
2003-03-10 01:30 . 2003-03-10 01:30 184320 -c--a-w- c:\program files\hpzscr07.dll
2003-03-10 01:30 . 2003-03-10 01:30 14285 -c--a-w- c:\program files\hpzius12.inf
2003-03-10 01:30 . 2003-03-10 01:30 10325 -c--a-w- c:\program files\hpzipr12.inf
2003-03-10 01:30 . 2003-03-10 01:30 63562 -c--a-w- c:\program files\hposcu08.inf
2003-03-10 01:30 . 2003-03-10 01:30 51266 -c--a-w- c:\program files\hpoprn08.inf
2003-03-10 01:30 . 2003-03-10 01:30 3898 -c--a-w- c:\program files\hpounp08.inf
2003-03-10 01:30 . 2003-03-10 01:30 33952 -c--a-w- c:\program files\hpzid412.inf
2003-03-10 01:30 . 2003-03-10 01:30 274432 -c--a-w- c:\program files\hpzglu07.exe
2003-03-10 01:30 . 2003-03-10 01:30 237568 -c--a-w- c:\program files\hpzc3212.dll
2003-03-10 01:30 . 2003-03-10 01:30 23186 -c--a-w- c:\program files\hpzcin06.ex_
2002-09-09 22:48 . 2002-09-09 22:48 22608 -c--a-w- c:\program files\usbprint.sys
2002-09-09 22:48 . 2002-09-09 22:48 12288 -c--a-w- c:\program files\usbmon.dll
2002-09-09 22:47 . 2002-09-09 22:47 254005 -c--a-w- c:\program files\msvcrt.dll
2002-09-09 22:47 . 2002-09-09 22:47 70656 -c--a-w- c:\program files\msvcirt.dll
2002-09-09 22:47 . 2002-09-09 22:47 55155 -c--a-w- c:\program files\hpzusb00.sy_
2002-09-09 22:47 . 2002-09-09 22:47 5705 -c--a-w- c:\program files\hpzuci02.dl_
2002-09-09 22:47 . 2002-09-09 22:47 25639 -c--a-w- c:\program files\hpzpom04.dl_
2002-09-09 22:47 . 2002-09-09 22:47 212992 -c--a-w- c:\program files\hpzpnp07.dll
2002-09-09 22:46 . 2002-09-09 22:46 49212 -c--a-w- c:\program files\hpzjvp01.dll
2002-09-09 22:46 . 2002-09-09 22:46 249913 -c--a-w- c:\program files\hpzjut01.dll
2002-09-09 22:46 . 2002-09-09 22:46 417849 -c--a-w- c:\program files\hpzjpp01.dll
2002-09-09 22:46 . 2002-09-09 22:46 28722 -c--a-w- c:\program files\hpzjlog.dll
2002-09-09 22:46 . 2002-09-09 22:46 52552 -c--a-w- c:\program files\hpziou01.dl_
2002-09-09 22:46 . 2002-09-09 22:46 46017 -c--a-w- c:\program files\hpzion00.sy_
2002-09-06 14:54 . 2002-09-06 14:54 995383 -c--a-w- c:\program files\MFC42.DLL
2006-01-16 22:30 . 2006-01-15 17:25 56 --sh--r- c:\windows\system32\6DD3891BC4.sys
2006-01-16 22:30 . 2006-01-15 17:25 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\scott\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2007-07-12 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4175832606.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14986&l=dis
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\scott\Application Data\Mozilla\Firefox\Profiles\oiyyc4by.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 22:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-10-15 22:56
ComboFix-quarantined-files.txt 2009-10-15 03:54
ComboFix2.txt 2009-10-10 03:03

Pre-Run: 1,044,987,904 bytes free
Post-Run: 1,079,910,400 bytes free

222 --- E O F --- 2009-10-14 18:09




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:16 PM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5588 bytes

[Tigger93]

Go start > run and type in combofix /u and press OK.

It appears that file does not exist. Why it still shows up is a mystery to me, but it's nothing to worry about. Are you still having any problems?

[dannytanner]

No, I'm not seeing any problems. Thanks.