clayman

Members
  • Content count

    17
  • Joined

  • Last visited

About clayman

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Hope this helps too. GMER 1.0.15.15252 - http://www.gmer.net Rootkit quick scan 2009-11-29 23:35:41 Windows 5.1.2600 Service Pack 3 Running: ljwu8ejo.exe; Driver: C:\DOCUME~1\CLAYMAN~1\LOCALS~1\Temp\fwlcqpow.sys ---- System - GMER 1.0.15 ---- Code \??\C:\DOCUME~1\CLAYMAN~1\LOCALS~1\Temp\catchme.sys pIofCallDriver ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A34F618 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
  2. Combo Fix Log ComboFix 09-11-29.03 - clayman 11/29/2009 23:09.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.993 [GMT -5:00] Running from: c:\documents and settings\clayman\Desktop\detox.exe AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\clayman\Application Data\inst.exe c:\recycler\S-1-5-21-2369461160-35945199-3371764974-1003 . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 ))))))))))))))))))))))))))))))) . 2009-11-30 03:07 . 2009-11-30 03:07 -------- d-----w- c:\program files\Trend Micro 2009-11-30 01:41 . 2009-11-30 01:41 -------- d-----r- C:\AHCache 2009-11-29 19:50 . 2009-11-29 19:50 -------- d-----w- c:\program files\Microsoft Security Essentials 2009-11-29 19:36 . 2009-11-29 19:36 -------- d-----w- C:\ARK 2009-11-29 19:22 . 2009-11-29 19:22 -------- d-----w- c:\documents and settings\clayman\Application Data\Malwarebytes 2009-11-29 19:21 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-29 19:21 . 2009-11-29 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-29 19:21 . 2009-11-29 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-29 19:21 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-29 03:21 . 2009-11-29 03:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-11-29 03:21 . 2009-11-29 20:06 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\pjffda 2009-11-29 00:11 . 2009-11-29 00:11 -------- d-----w- c:\program files\iPod 2009-11-29 00:11 . 2009-11-29 00:11 -------- d-----w- c:\program files\iTunes 2009-11-29 00:10 . 2009-11-29 00:10 -------- d-----w- c:\program files\Bonjour 2009-11-29 00:09 . 2009-11-29 00:10 -------- d-----w- c:\program files\QuickTime 2009-11-29 00:08 . 2009-07-09 17:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-11-29 00:08 . 2009-07-09 17:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-11-29 00:04 . 2009-11-29 00:04 -------- d-----w- c:\program files\Apple Software Update 2009-11-29 00:03 . 2009-11-29 00:11 -------- d-----w- c:\program files\Common Files\Apple 2009-11-28 22:21 . 2009-11-28 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-11-28 19:46 . 2009-11-28 19:46 -------- d-sh--w- c:\documents and settings\clayman\IECompatCache 2009-11-28 17:46 . 2009-11-28 17:46 44044 ---ha-w- c:\windows\system32\mlfcache.dat 2009-11-28 02:29 . 2009-11-29 17:48 -------- d-----w- c:\documents and settings\clayman\Application Data\DivX 2009-11-28 02:28 . 2009-11-28 02:28 -------- d-----w- c:\program files\DivX 2009-11-28 02:28 . 2009-11-28 02:28 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-11-28 01:12 . 2009-11-28 01:12 61015016 ----a-w- C:\registrybackup.reg 2009-11-27 02:33 . 2009-11-28 02:20 -------- d-----w- c:\windows\SxsCaPendDel 2009-11-27 01:53 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-11-27 01:53 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-11-26 16:35 . 2008-04-13 15:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2009-11-26 16:35 . 2008-04-13 15:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2009-11-26 16:35 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll 2009-11-26 16:35 . 2008-04-13 21:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2009-11-26 16:22 . 2009-11-26 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-11-26 04:43 . 2009-11-29 00:21 -------- d-----w- c:\documents and settings\clayman\Application Data\Apple Computer 2009-11-26 04:14 . 2009-11-29 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-11-26 04:13 . 2009-11-26 04:13 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Apple 2009-11-26 04:13 . 2009-11-28 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-11-26 04:13 . 2009-11-28 01:24 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Apple Computer 2009-11-26 00:41 . 2009-11-26 00:41 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Identities 2009-11-24 20:29 . 2009-11-24 20:30 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Roblox 2009-11-24 20:28 . 2009-11-26 15:49 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\RobloxDownloads 2009-11-24 20:28 . 2009-11-26 15:49 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\RobloxVersions 2009-11-24 04:13 . 2009-11-24 04:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2009-11-24 00:36 . 2009-11-24 00:36 552 ----a-w- c:\windows\system32\d3d8caps.dat 2009-11-22 23:28 . 2009-11-22 23:28 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-11-22 23:28 . 2009-11-29 17:59 -------- d-----w- c:\documents and settings\clayman\Application Data\skypePM 2009-11-22 23:26 . 2009-11-30 02:27 -------- d-----w- c:\documents and settings\clayman\Application Data\Skype 2009-11-22 23:22 . 2009-11-22 23:22 -------- d-----w- c:\program files\Common Files\Skype 2009-11-22 23:22 . 2009-11-22 23:22 -------- d-----r- c:\program files\Skype 2009-11-22 23:22 . 2009-11-22 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-11-21 19:38 . 2009-11-21 19:38 -------- d-----w- c:\documents and settings\clayman\fontconfig 2009-11-21 19:37 . 2009-11-30 00:04 -------- d-----w- c:\documents and settings\clayman\.smplayer 2009-11-21 19:37 . 2009-11-21 19:37 -------- d-----w- c:\program files\SMPlayer 2009-11-17 03:46 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-11-17 03:46 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll 2009-11-16 07:47 . 2009-11-16 07:47 -------- d-----w- c:\documents and settings\clayman\Application Data\Sonic 2009-11-16 06:53 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-11-16 06:21 . 2009-11-16 06:23 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy 2009-11-16 06:21 . 2009-11-16 06:33 -------- d-----w- c:\documents and settings\clayman\Application Data\Vso 2009-11-16 06:21 . 2009-11-16 06:33 47360 ----a-w- c:\documents and settings\clayman\Application Data\pcouffin.sys 2009-11-16 06:21 . 2009-11-16 06:21 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys 2009-11-16 05:59 . 2009-11-30 03:41 -------- d-----w- c:\documents and settings\clayman\Tracing 2009-11-16 05:44 . 2009-11-17 06:32 -------- d-----w- c:\program files\Microsoft Silverlight 2009-11-16 05:44 . 2009-11-29 00:08 -------- dc----w- c:\windows\system32\DRVSTORE 2009-11-16 05:44 . 2009-08-06 06:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys 2009-11-16 05:43 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll 2009-11-16 05:43 . 2009-11-16 05:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2009-11-16 05:42 . 2009-11-16 05:42 -------- d-----w- c:\program files\Microsoft 2009-11-16 05:42 . 2009-11-16 05:42 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-11-16 05:41 . 2009-11-16 05:44 -------- d-----w- c:\program files\Windows Live 2009-11-16 05:36 . 2009-11-16 05:36 -------- d-----w- c:\program files\Common Files\Windows Live 2009-11-16 05:27 . 2009-11-16 05:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\system32\scripting 2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\system32\en 2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\system32\bits 2009-11-16 05:14 . 2009-11-16 05:14 -------- d-----w- c:\windows\l2schemas 2009-11-16 05:08 . 2009-11-16 05:08 -------- d-----w- c:\windows\EHome 2009-11-16 04:59 . 2009-11-16 04:59 -------- d-sh--w- c:\documents and settings\clayman\PrivacIE 2009-11-16 04:56 . 2009-11-16 04:56 -------- d-sh--w- c:\documents and settings\clayman\IETldCache 2009-11-16 04:54 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-11-16 04:54 . 2009-11-16 04:54 -------- d-----w- c:\windows\ie8updates 2009-11-16 04:53 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-11-16 04:53 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2009-11-16 04:53 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-11-16 04:53 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2009-11-16 04:53 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-11-16 04:53 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll 2009-11-16 04:52 . 2009-11-16 04:53 -------- dc-h--w- c:\windows\ie8 2009-11-16 01:17 . 2009-11-16 01:17 -------- d-----w- c:\windows\Twain32 2009-11-16 00:47 . 2009-11-16 00:47 -------- d-----w- c:\documents and settings\clayman\Local Settings\Application Data\Opera 2009-11-16 00:47 . 2009-11-16 00:47 -------- d-----w- c:\program files\Opera 2009-11-16 00:46 . 2009-11-16 05:13 -------- d-----w- c:\windows\ServicePackFiles 2009-11-15 23:32 . 2004-08-04 06:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys 2009-11-15 23:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2009-11-15 23:24 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys 2009-11-15 23:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-11-15 23:21 . 2009-11-29 23:48 -------- d-----w- c:\windows\ShellNew 2009-11-15 23:21 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys 2009-11-15 23:21 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys 2009-11-15 23:21 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys 2009-11-15 23:21 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll 2009-11-15 23:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-11-15 23:21 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll 2009-11-15 23:20 . 2009-11-15 23:20 -------- d-----w- c:\documents and settings\clayman\Application Data\Microsoft Web Folders 2009-11-15 23:16 . 2009-06-10 17:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll 2009-11-15 23:15 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll 2009-11-15 23:15 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-11-15 23:15 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe 2009-11-14 21:26 . 2009-04-28 20:20 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys 2009-11-14 21:26 . 2009-04-28 20:20 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys 2009-11-14 21:26 . 2009-04-28 20:20 129520 ------w- c:\windows\system32\pxafs.dll 2009-11-14 21:26 . 2009-11-15 23:00 -------- d-----w- c:\program files\Winamp 2009-11-14 21:26 . 2009-11-14 21:31 -------- d-----w- c:\documents and settings\clayman\Application Data\Winamp 2009-11-14 21:24 . 2009-11-14 21:24 -------- d-sh--w- c:\documents and settings\clayman\UserData 2009-11-14 21:18 . 2009-11-14 21:18 -------- d-----w- c:\documents and settings\clayman\Application Data\TotalRecorder 2009-11-14 21:17 . 2009-11-14 21:17 90192 ----a-w- c:\windows\system32\drivers\TotRec8.sys 2009-11-14 21:17 . 2009-11-14 21:17 131152 ----a-w- c:\windows\system32\drivers\TotRec7.sys 2009-11-14 21:17 . 2009-11-14 21:17 -------- d-----w- c:\program files\HighCriteria 2009-11-14 21:17 . 2009-11-14 21:17 61520 ----a-w- c:\windows\system32\DrvTrNTm.dll 2009-11-14 21:17 . 2009-11-14 21:17 106496 ----a-w- c:\windows\system32\DrvTrNTl.dll 2009-11-14 20:54 . 2001-01-19 23:34 207872 ----a-w- c:\windows\system32\DVDRGCTL.dll 2009-11-14 20:54 . 2000-10-27 22:56 193536 ----a-w- c:\windows\system32\AllNode.DLL 2009-11-14 20:54 . 2000-05-17 23:59 145920 ----a-w- c:\windows\system32\Mmac3.dll 2009-11-14 20:54 . 2000-04-27 06:15 67584 ----a-w- c:\windows\system32\macrovsn.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-30 03:38 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-11-28 22:27 . 2005-11-05 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL 2009-11-21 17:20 . 2005-11-29 22:16 -------- d-----w- c:\program files\Metamail Inc 2009-11-16 05:58 . 2009-11-14 19:17 57968 ----a-w- c:\documents and settings\clayman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-16 05:16 . 2005-11-05 02:29 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-11-16 01:33 . 2009-11-16 01:32 -------- d-----w- c:\program files\SONY 2009-11-16 01:33 . 2005-11-05 02:56 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-15 23:24 . 2009-11-15 23:24 5058 ----a-w- c:\windows\Help\hhcolreg.dat 2009-11-15 23:19 . 2005-11-05 02:30 -------- d-----w- c:\program files\microsoft frontpage 2009-11-15 23:12 . 2005-11-05 04:09 -------- d-----w- c:\program files\Pure Networks 2009-11-15 23:08 . 2005-11-05 04:05 -------- d-----w- c:\program files\Quicken 2009-11-15 23:03 . 2005-11-05 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com 2009-11-15 23:01 . 2005-11-05 04:09 -------- d-----w- c:\program files\Common Files\AOL 2009-11-15 23:01 . 2009-11-14 19:17 -------- d-----w- c:\documents and settings\clayman\Application Data\AOL 2009-11-14 19:10 . 2005-11-29 23:08 -------- d-----w- c:\program files\Sonic 2009-11-14 00:49 . 2005-11-05 04:07 120056 ------w- c:\windows\system32\pxcpyi64.exe 2009-11-14 00:49 . 2005-11-05 04:07 118520 ------w- c:\windows\system32\pxinsi64.exe 2009-09-11 14:18 . 2005-11-05 00:52 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2005-11-05 00:52 58880 ----a-w- c:\windows\system32\msasn1.dll . ------- Sigcheck ------- [-] 2009-11-30 03:38 . 84B647F9DF97B26A4412FE01CCEFE108 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256] "Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940] "PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-11-10 15473664] "NDSTray.exe"="NDSTray.exe" [bU] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203] "TFncKy"="TFncKy.exe" [bU] "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave"=DrvTrNTm.dll "mixer"=DrvTrNTm.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [11/16/2009 12:44 AM 54752] R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/14/2009 3:54 PM 7196] R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [11/14/2009 4:17 PM 131152] R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [11/14/2009 4:17 PM 90192] S1 btydqpxg;btydqpxg;\??\c:\windows\system32\drivers\btydqpxg.sys --> c:\windows\system32\drivers\btydqpxg.sys [?] S1 rrsovyyn;rrsovyyn;\??\c:\windows\system32\drivers\rrsovyyn.sys --> c:\windows\system32\drivers\rrsovyyn.sys [?] S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/6/2009 1:48 AM 704864] . Contents of the 'Scheduled Tasks' folder 2009-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-11-30 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36] 2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{32F29F81-2AF4-4EC6-BF09-659C1DDB958D}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://m.www.yahoo.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html . - - - - ORPHANS REMOVED - - - - AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0 AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-29 23:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A34F618]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28 \Driver\ACPI -> ACPI.sys @ 0xf75aecb8 \Driver\atapi -> atapi.sys @ 0xf74a8852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(512) c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(584) c:\windows\system32\WININET.dll . Completion time: 2009-11-29 23:23 ComboFix-quarantined-files.txt 2009-11-30 04:23 Pre-Run: 53,224,480,768 bytes free Post-Run: 53,255,688,192 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 9919D25C9752205DE7B2F0E002DBD0E0
  3. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:07:58 PM, on 11/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Gadwin PrintScreen Pro] C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe /nosplash O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 9505 bytes Malware Bytes Log Malwarebytes' Anti-Malware 1.41 Database version: 3259 Windows 5.1.2600 Service Pack 3 11/29/2009 9:14:44 PM mbam-log-2009-11-29 (21-14-44).txt Scan type: Quick Scan Objects scanned: 101232 Time elapsed: 5 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  4. Problem is resolved. Below are the steps I had to follow: Since all scans came back clean my problem I suspected was somehow related to the Add-ons that were installed in Firefox. Another indication was that IE and Opera were working fine. So the problem had to be isolated to Firefox. Unfortunately unistalling these add-on apps proved more complex than just pressing a button since I was not happy with just disabling them: 1) Unistalled Firefox according to the instructions on their site http://support.mozilla.com/en-US/kb/Uninstalling+Firefox 2) Did a file search on the words firefox and mozilla to ensure all files were removed. 3) Given that Firefox keeps their Add-ons in the registry, I had to remove these entries from the registry. Under Mozilla Profiles I came across them. 4) I backed up the registry and and searched for the words firefox and mozilla 5) Removed all references to any .dll files. Renamed these .dlls files. 6) Re-installed Firefox. 7) Voilla!! I am now able to search without being re-directed. I appreciate all the help and the tips to how to keep my laptop safe from now on. However, I just cannot believe Firefox would leave this big gap in their product. To assume a bogus secure connection has the ability to trick someone into installing a add-on is scary to say the least. Anyway, I will let you expert deal with this threat and just wanted to report back and let you know my progress. Thanks again!!
  5. Not so quick...Problem is still there... I went back and followed the last steps but when I went back into Firefox boom! redirected... 1) I disabled all the add-ons 2) did a search and problem was gone. 3) but not being satisfied I wanted to remove any trace of firefox from my machine. !! 4) I went ahead and unistalled Firefox. 2) Deleted all the files and profiles 3) Did a search on Firefox and Mozilla in C: - all files gone. 4) Downloaded and installed a fresh copy 5) To my surprise all the add-ons where back - why?? 6) I ran regedit and found several keys that refer to Firefox. It appears that these add-ons keys are in the registry so when I installed the new copy they were auto populated. That means my problem is back. As long as I get these add-ons I am getting something that is causing the problem. The virus softwares I have ran on this thread don't find that. My system is clean. I am thinking about going into the registry and removing anything that has to do with Firefox. I need to install firefox and find zero add-ons. That will tell me I am good. Otherwise I am back to square one. Please don't tell me to run yet another scan and will find zero infections.
  6. As instructed below is the ActiveScan log. Thanks. ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2009-02-14 11:57:59 PROTECTIONS: 1 MALWARE: 4 SUSPECTS: 3 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== Avira AntiVir PersonalEdition 8.0.1.30 No Yes ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\myusername\Desktop\SmitfraudFix\IEDFix.C.exe 01185375 Application/Psexec.A HackTools No 0 Yes No C:\Documents and Settings\myusername\DoctorWeb\Quarantine\A0364507.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\Documents and Settings\myusername\DoctorWeb\Quarantine\A0364694.EXE 03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\myusername\Desktop\SmitfraudFix.exe 03587590 Adware/Yassist Adware No 0 No No C:\avi player\DivXBundle.exe[
  7. Below are the results of the file scan and Combofix log. Let me know the next steps please. Thanks. File: wininet.dll Status: OK MD5: a82935d32d0672e8ff4e91ae398e901c Packers detected: PE_PATCH Scanner results Scan taken on 14 Feb 2009 03:26:48 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing --------------------------- ile: dpl100.dll Status: OK MD5: f0e9a533925f48576fffc597dcaf14c0 Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:45:08 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ------------------------------- File: dtu100.dll Status: OK MD5: a8a69740d30bcbaa1959cb0046c84718 Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:33:05 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ------------------------------ File: dpuGUI11.dll Status: OK MD5: a3fdc0ef06ecfd39da10546a65bc88de Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:36:08 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ----------------------------- File: dpv11.dll Status: OK MD5: a71e02af0a34cc05676387545a3e4758 Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:29:57 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ------------------------------- File: dpus11.dll Status: OK MD5: 8c1d3e3e49f031152aa47e16950217cd Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:48:51 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ----------------------------- File: dpu11.dll Status: OK MD5: 57c12299d482ada655897a26148b892c Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:51:40 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ------------------------------- File: usbsermptxp.sys Status: OK MD5: af4b8cc5ea40c57208796920068ddcd5 Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:54:22 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing ------------------------------- File: usbsermpt.sys Status: OK MD5: caad3467fbfae8a380f67e9c7150a85e Packers detected: - Scanner results Scan taken on 14 Feb 2009 03:58:37 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing --------------------------------- ComboFix 09-02-12.03 - myusername 2009-02-13 23:10:19.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.1026 [GMT -5:00] Running from: c:\documents and settings\myusername\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\myusername\Desktop\CFscript.txt AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\program files\MediaCoder\SysInfo.sys c:\windows\system32\drivers\npf.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\npf.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CRYSTALSYSINFO -------\Legacy_NPF -------\Service_CrystalSysInfo -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 ))))))))))))))))))))))))))))))) . 2009-02-13 12:42 . 2009-02-13 12:46 <DIR> d-------- C:\Lop SD 2009-02-11 22:09 . 2009-02-11 22:09 <DIR> d-------- c:\program files\Common Files\Adobe 2009-02-11 20:39 . 2009-02-11 20:39 <DIR> d-------- c:\program files\CCleaner 2009-02-10 21:30 . 2009-02-10 21:30 <DIR> d-------- c:\program files\Trend Micro 2009-02-10 18:55 . 2009-02-10 19:22 <DIR> d-------- c:\documents and settings\myusername\DoctorWeb 2009-02-08 23:25 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2009-02-08 23:22 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2009-02-08 23:22 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2009-02-08 18:52 . 2009-02-10 21:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-07 18:55 . 2009-02-07 18:55 <DIR> d-------- c:\program files\Avira 2009-02-07 18:55 . 2009-02-07 18:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-02-07 15:23 . 2009-02-07 15:23 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2009-02-07 12:23 . 2009-02-11 22:06 <DIR> d-------- c:\windows\system32\Adobe 2009-01-18 22:17 . 2009-02-11 20:50 <DIR> d-------- c:\program files\Malwar 2009-01-18 22:17 . 2009-01-18 22:17 <DIR> d-------- c:\documents and settings\myusername\Application Data\Malwarebytes 2009-01-18 22:17 . 2009-01-18 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-18 22:17 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-18 22:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-13 20:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-12 03:07 --------- d-----w c:\program files\Common Files\Apple 2009-02-12 00:32 --------- d-----w c:\program files\Opera 2009-02-10 23:29 --------- d-----w c:\program files\Old Files 2009-02-10 01:50 --------- d-----w c:\documents and settings\myusername\Application Data\SPORE 2009-02-01 23:24 --------- d-----w c:\documents and settings\myusername\Application Data\Skype 2009-01-19 20:48 --------- d-----w c:\program files\DivX 2009-01-12 23:31 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts 2008-12-26 14:20 --------- d-----w c:\documents and settings\myusername\Application Data\Apple Computer 2008-12-25 13:50 --------- d-----w c:\program files\iTunes 2008-12-25 13:50 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-25 13:49 --------- d-----w c:\program files\iPod 2008-12-23 14:58 --------- d-----w c:\documents and settings\myusername\Application Data\MozillaControl 2008-12-23 14:58 --------- d-----w c:\documents and settings\All Users\Application Data\Launcher 2008-12-22 21:34 --------- d-----w c:\documents and settings\myusername\Application Data\Broad Intelligence 2006-05-31 19:54 24,192 ----a-w c:\documents and settings\myusername\usbsermptxp.sys 2006-05-31 19:54 22,768 ----a-w c:\documents and settings\myusername\usbsermpt.sys 2008-09-21 01:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940] "TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-12-05 114688] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552] "PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416] "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-03-01 826880] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "RTHDCPL"="RTHDCPL.EXE" [2005-11-10 c:\windows\RTHDCPL.exe] "TFncKy"="TFncKy.exe" [bU] "TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VQC2"= vqdecode.dll "VIDC.VQC1"= vqdecode.dll "mixer"= DrvTrNTm.dll "wave"= DrvTrNTm.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 V7;V7;c:\windows\system32\drivers\V7.SYS [2006-06-10 7196] S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [2006-09-04 112624] S3 EP518P;EZPhone Cam;c:\windows\system32\drivers\ep518vid.sys [2006-09-04 176106] S3 fsbl;F-Secure BlackLight Engine Driver;c:\program files\EMBARQ Online Security\Anti-Virus\fsbldrv.sys [2008-09-06 26208] S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2006-07-02 39048] S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\drivers\islp2nds.sys [2002-10-03 611840] S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [2006-07-03 54083] . Contents of the 'Scheduled Tasks' folder 2009-02-13 c:\windows\Tasks\Norton Security Scan for myusername.job - c:\program files\Norton Security Scan\Nss.exe [] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://meta.com/nortel_cacheable/NetDirect.cab DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://meta.com/nortel_cacheable/iewiper.cab FF - ProfilePath - c:\documents and settings\myusername\Application Data\Mozilla\Firefox\Profiles\59o0epvd.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-13 23:15:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3225192553-3933798331-355357314-1006\Software\SecuROM\License information*] "datasecu"=hex:eb,6c,49,1d,15,22,7a,4f,1e,a2,db,74,49,de,1a,e1,1f,95,97,85,ab, 7d,d6,9e,03,d3,ff,48,0b,df,25,07,68,84,28,58,ce,2c,bb,b8,0c,02,0f,7c,e9,bf,\ "rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(688) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\system32\acs.exe c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\DVDRAMSV.exe c:\toshiba\IVP\swupdate\swupdtmr.exe c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\TPSBattM.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-02-13 23:18:15 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-14 04:17:59 ComboFix2.txt 2009-02-13 19:12:11 ComboFix3.txt 2009-02-11 12:42:45 ComboFix4.txt 2009-02-10 03:49:50 Pre-Run: 11,744,428,032 bytes free Post-Run: 11,797,643,264 bytes free 180 --- E O F --- 2009-02-11 04:04:39
  8. Searched for adwarefeed, clickfraud, websearchmaster and yoog with no good results Ran MBAM (Log Below) - Nothing found Malwarebytes' Anti-Malware 1.34 Database version: 1757 Windows 5.1.2600 Service Pack 3 2/13/2009 9:32:13 AM mbam-log-2009-02-13 (09-32-13).txt Scan type: Quick Scan Objects scanned: 65608 Time elapsed: 5 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Lop S&D log --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3 X86-based PC ( Uniprocessor Free : IntelĀ® CeleronĀ® M processor 1.70GHz ) BIOS : BIOS Version 1.70 USER : myusername ( Administrator ) BOOT : Normal boot Antivirus : Avira AntiVir PersonalEdition 8.0.1.30 (Activated) C:\ (Local Disk) - NTFS - Total:74 Go (Free:11 Go) D:\ (CD or DVD) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( Fri 02/13/2009|12:43 ) --------------------\\ Listing folders in APPLIC~1 [12/25/2008|08:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6} [02/11/2009|10:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe [06/10/2006|09:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL [10/14/2008|08:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple [01/31/2007|10:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer [02/07/2009|06:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avira [01/12/2009|06:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Electronic Arts [09/06/2008|12:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> F-Secure [07/03/2008|05:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> fssg [07/03/2006|06:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek [08/19/2006|10:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield [11/04/2005|11:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit [12/23/2008|09:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Launcher [11/14/2007|07:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft [01/18/2009|10:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes [11/04/2005|11:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee.com [06/13/2008|06:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft [12/21/2006|12:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Napster [08/03/2008|05:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Pinnacle [11/10/2007|04:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> pixelStorm [11/04/2005|11:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Pure Networks [11/04/2005|11:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime [09/14/2008|04:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Roxio [08/31/2007|09:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Skype [09/14/2008|04:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sonic [02/11/2009|08:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy [07/16/2007|08:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP [04/04/2007|06:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia [11/04/2005|11:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint [07/03/2006|07:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage [04/06/2008|12:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller [12/21/2006|12:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo [10/13/2008|10:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! [10/26/2008|04:04] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> 1ClickDVDCopy [02/11/2009|10:06] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Adobe [08/02/2008|08:02] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> AdobeUM [11/11/2007|07:33] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Amazon [06/10/2006|09:48] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> AOL [12/26/2008|09:20] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Apple Computer [11/29/2005|05:25] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> ATI [04/27/2007|07:27] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> bang [12/22/2008|04:34] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Broad Intelligence [10/26/2008|04:00] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> CopyToDvd [08/19/2006|10:03] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Corel [10/15/2008|09:02] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> DivX [12/15/2007|08:51] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Ethereal [12/09/2007|05:07] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> FastStone [07/07/2008|07:08] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> F-Secure [02/17/2007|09:48] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Google [07/03/2006|06:56] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> GTek [07/02/2006|10:44] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Help [11/04/2005|09:30] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Identities [10/06/2008|07:31] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> InstallShield [05/21/2006|08:58] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> InterVideo [11/04/2005|11:05] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Intuit [08/13/2006|11:43] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> iView [07/26/2008|12:22] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> LEGO Company [02/11/2009|10:06] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Macromedia [01/18/2009|10:17] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Malwarebytes [08/03/2008|05:25] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Microsoft [06/19/2006|10:06] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Microsoft Web Folders [02/11/2009|09:51] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Mozilla [12/23/2008|09:58] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> MozillaControl [05/21/2006|07:07] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> MSNInstaller [06/10/2006|08:12] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Musicmatch [09/14/2008|10:21] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Opera [06/12/2006|01:11] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Real [09/14/2008|04:07] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Research In Motion [10/02/2008|08:45] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Roxio [09/19/2008|02:01] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> SecuROM [06/03/2007|06:01] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> SGooPE [02/01/2009|06:24] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Skype [03/24/2007|10:42] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Snapfish [06/01/2006|10:32] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Sonic [02/09/2009|08:50] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> SPORE [02/11/2009|08:26] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Sun [09/23/2006|08:23] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Talkback [11/04/2005|10:39] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> toshiba [12/06/2008|04:26] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> Unity [01/01/2007|02:34] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> yahoo! [11/04/2005|11:10] C:\DOCUME~1\myusername~1\APPLIC~1\<DIR> You've Got Pictures Screensaver [11/30/2005|06:19] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Adobe [06/10/2006|09:48] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> AOL [11/29/2005|05:25] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> ATI [11/04/2005|09:30] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities [11/04/2005|11:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Intuit [11/04/2005|09:39] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft [11/04/2005|10:39] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> toshiba [11/04/2005|11:10] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> You've Got Pictures Screensaver [11/24/2006|10:55] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft [10/02/2008|08:45] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Roxio [11/04/2005|09:29] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [02/08/2009 06:00 PM][--a------] C:\WINDOWS\tasks\Norton Security Scan for myusername.job [02/13/2009 12:04 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT [08/04/2004 07:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [02/11/2009|10:09] C:\Program Files\<DIR> Adobe [08/03/2008|05:02] C:\Program Files\<DIR> AirSnare [11/11/2007|07:33] C:\Program Files\<DIR> Amazon [10/14/2008|08:30] C:\Program Files\<DIR> Apple Software Update [05/21/2006|06:09] C:\Program Files\<DIR> Atheros [11/29/2005|05:29] C:\Program Files\<DIR> ATI Technologies [09/20/2008|09:46] C:\Program Files\<DIR> Atlantis Adventure [02/04/2007|10:31] C:\Program Files\<DIR> Audio Player [10/22/2008|06:55] C:\Program Files\<DIR> AVD Video Processor 7.6 TRIAL [02/07/2009|06:55] C:\Program Files\<DIR> Avira [11/11/2007|08:43] C:\Program Files\<DIR> Bible Explorer 4 [06/10/2006|10:02] C:\Program Files\<DIR> CA [02/11/2009|08:39] C:\Program Files\<DIR> CCleaner [02/11/2009|10:09] C:\Program Files\<DIR> Common Files [11/04/2005|09:27] C:\Program Files\<DIR> ComPlus Applications [09/28/2007|09:34] C:\Program Files\<DIR> CROSS Shared [09/20/2008|09:47] C:\Program Files\<DIR> Crystalize [02/04/2008|11:09] C:\Program Files\<DIR> Disney [01/19/2009|03:48] C:\Program Files\<DIR> DivX [03/10/2008|09:20] C:\Program Files\<DIR> dvd43 [11/04/2005|10:20] C:\Program Files\<DIR> DVD-RAM [09/19/2008|02:00] C:\Program Files\<DIR> Electronic Arts [09/06/2008|09:35] C:\Program Files\<DIR> EMBARQ Online Security [12/15/2007|08:33] C:\Program Files\<DIR> Ethereal [12/09/2007|05:07] C:\Program Files\<DIR> FastStone Image Viewer [02/17/2007|09:48] C:\Program Files\<DIR> Google [06/10/2006|03:42] C:\Program Files\<DIR> HighCriteria [01/01/2007|03:14] C:\Program Files\<DIR> HOTLLAMA Media [11/04/2005|11:13] C:\Program Files\<DIR> illiminable [09/20/2008|09:51] C:\Program Files\<DIR> InstallShield Installation Information [04/13/2007|06:14] C:\Program Files\<DIR> InstaVerse [02/10/2009|11:01] C:\Program Files\<DIR> Internet Explorer [11/29/2005|06:02] C:\Program Files\<DIR> InterVideo [12/25/2008|08:49] C:\Program Files\<DIR> iPod [05/16/2007|09:42] C:\Program Files\<DIR> IrfanView [12/25/2008|08:50] C:\Program Files\<DIR> iTunes [08/13/2006|11:42] C:\Program Files\<DIR> iView Catalog Reader [11/14/2007|07:29] C:\Program Files\<DIR> Lavasoft [06/12/2006|10:36] C:\Program Files\<DIR> LG Software Innovations [06/13/2008|06:18] C:\Program Files\<DIR> Live Search Maps for Outlook [11/30/2005|06:16] C:\Program Files\<DIR> ltmoh [02/11/2009|08:50] C:\Program Files\<DIR> Malwar [06/10/2006|06:04] C:\Program Files\<DIR> Mediamatics [09/20/2008|08:33] C:\Program Files\<DIR> Messenger [11/29/2005|05:16] C:\Program Files\<DIR> Metamail Inc [06/13/2007|08:48] C:\Program Files\<DIR> Metavante_Remote_Access [12/01/2005|01:34] C:\Program Files\<DIR> Microsoft ActiveSync [04/06/2008|10:17] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2 [06/19/2006|10:06] C:\Program Files\<DIR> microsoft frontpage [06/13/2008|06:14] C:\Program Files\<DIR> Microsoft Location Finder [08/03/2008|05:05] C:\Program Files\<DIR> Microsoft Office [06/13/2008|06:13] C:\Program Files\<DIR> Microsoft Streets & Trips [06/19/2006|10:09] C:\Program Files\<DIR> Microsoft Visual Studio [11/07/2005|11:59] C:\Program Files\<DIR> Microsoft.NET [09/20/2008|08:28] C:\Program Files\<DIR> Movie Maker [02/13/2009|12:38] C:\Program Files\<DIR> Mozilla Firefox [01/26/2007|10:39] C:\Program Files\<DIR> MP3 Update [05/21/2006|07:07] C:\Program Files\<DIR> MSN [11/04/2005|09:27] C:\Program Files\<DIR> MSN Gaming Zone [11/21/2006|08:39] C:\Program Files\<DIR> MSXML 4.0 [09/16/2008|03:12] C:\Program Files\<DIR> MSXML 6.0 [06/10/2006|08:12] C:\Program Files\<DIR> Musicmatch [09/20/2008|08:25] C:\Program Files\<DIR> NetMeeting [02/19/2007|08:08] C:\Program Files\<DIR> Nmap [02/10/2009|06:29] C:\Program Files\<DIR> Old Files [02/11/2009|07:32] C:\Program Files\<DIR> Opera [09/20/2008|08:25] C:\Program Files\<DIR> Outlook Express [12/15/2007|10:51] C:\Program Files\<DIR> Paint.NET [08/03/2008|05:18] C:\Program Files\<DIR> Pinnacle [08/13/2006|11:57] C:\Program Files\<DIR> Pradis [10/14/2008|08:32] C:\Program Files\<DIR> QuickTime [03/05/2007|11:00] C:\Program Files\<DIR> Real [11/29/2005|05:21] C:\Program Files\<DIR> Realtek [09/14/2008|03:47] C:\Program Files\<DIR> Research In Motion [09/14/2008|04:00] C:\Program Files\<DIR> Roxio [08/31/2007|09:53] C:\Program Files\<DIR> Skype [09/20/2008|09:51] C:\Program Files\<DIR> Soda Pipes [12/21/2005|08:04] C:\Program Files\<DIR> Sonic [07/02/2006|06:06] C:\Program Files\<DIR> SONY [09/30/2008|10:00] C:\Program Files\<DIR> SpeedFan [02/10/2009|09:58] C:\Program Files\<DIR> Spybot - Search & Destroy [11/29/2005|05:38] C:\Program Files\<DIR> Synaptics [06/10/2006|10:20] C:\Program Files\<DIR> TOSHIBA [02/10/2009|09:30] C:\Program Files\<DIR> Trend Micro [11/04/2005|09:32] C:\Program Files\<DIR> Uninstall Information [12/06/2008|03:18] C:\Program Files\<DIR> Unity [11/04/2005|11:09] C:\Program Files\<DIR> Viewpoint [04/06/2007|08:23] C:\Program Files\<DIR> Winamp [04/06/2008|12:36] C:\Program Files\<DIR> Windows Live [10/15/2008|07:29] C:\Program Files\<DIR> Windows Live Safety Center [04/17/2007|07:53] C:\Program Files\<DIR> Windows Media Connect 2 [09/20/2008|08:25] C:\Program Files\<DIR> Windows Media Player [09/20/2008|08:25] C:\Program Files\<DIR> Windows NT [11/04/2005|09:28] C:\Program Files\<DIR> WindowsUpdate [12/15/2007|08:32] C:\Program Files\<DIR> WinPcapold [02/18/2007|08:03] C:\Program Files\<DIR> WinRAR [11/04/2005|09:30] C:\Program Files\<DIR> xerox [10/13/2008|10:08] C:\Program Files\<DIR> Yahoo! [07/04/2006|08:01] C:\Program Files\<DIR> Zero G Registryold --------------------\\ Listing Folders in C:\Program Files\Common Files [02/11/2009|10:09] C:\Program Files\Common Files\<DIR> Adobe [06/10/2006|09:49] C:\Program Files\Common Files\<DIR> AOL [02/11/2009|10:07] C:\Program Files\Common Files\<DIR> Apple [12/01/2005|01:34] C:\Program Files\Common Files\<DIR> DESIGNER [08/19/2006|10:03] C:\Program Files\Common Files\<DIR> InstallShield [08/03/2008|05:05] C:\Program Files\Common Files\<DIR> Microsoft Shared [11/04/2005|09:28] C:\Program Files\Common Files\<DIR> MSSoap [11/04/2005|11:10] C:\Program Files\Common Files\<DIR> Nullsoft [11/04/2005|01:23] C:\Program Files\Common Files\<DIR> ODBC [06/12/2006|01:09] C:\Program Files\Common Files\<DIR> Real [09/14/2008|03:48] C:\Program Files\Common Files\<DIR> Research In Motion [09/14/2008|03:59] C:\Program Files\Common Files\<DIR> Roxio Shared [11/04/2005|09:28] C:\Program Files\Common Files\<DIR> Services [08/31/2007|09:53] C:\Program Files\Common Files\<DIR> Skype [09/14/2008|04:00] C:\Program Files\Common Files\<DIR> Sonic Shared [11/04/2005|01:23] C:\Program Files\Common Files\<DIR> SpeechEngines [02/07/2009|03:23] C:\Program Files\Common Files\<DIR> Symantec Shared [09/20/2008|08:25] C:\Program Files\Common Files\<DIR> System [04/06/2008|12:35] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller [11/14/2007|07:29] C:\Program Files\Common Files\<DIR> Wise Installation Wizard [06/12/2006|01:09] C:\Program Files\Common Files\<DIR> xing shared --------------------\\ Process ( 50 Processes ) iexplore.exe ~ [PID:512] --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders No Lop folder found ! --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-13 12:44:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 368 --------------------\\ Searching for other infections --------------------\\ Cracks & Keygens .. C:\DOCUME~1\myusername~1\Application Data\bang\rsrc\bounties\frontier_town\most_wanted\extreme\crackshot_maude C:\DOCUME~1\myusername~1\Application Data\bang\rsrc\bounties\frontier_town\most_wanted\extreme\crackshot_maude\bounty.properties C:\DOCUME~1\myusername~1\Application Data\bang\rsrc\bounties\frontier_town\most_wanted\extreme\crackshot_maude\crackshot_maude.png C:\DOCUME~1\myusername~1\Application Data\bang\rsrc\bounties\frontier_town\most_wanted\extreme\crackshot_maude\gully.game C:\DOCUME~1\myusername~1\Application Data\bang\rsrc\bounties\frontier_town\most_wanted\extreme\crackshot_maude\high_shooter.game C:\DOCUME~1\myusername~1\Application Data\bang\rsrc\bounties\frontier_town\most_wanted\extreme\crackshot_maude\keep_em.game [F:4][D:2]-> C:\DOCUME~1\myusername~1\LOCALS~1\Temp [F:37][D:0]-> C:\DOCUME~1\myusername~1\Cookies [F:334][D:4]-> C:\DOCUME~1\myusername~1\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - Fri 02/13/2009|12:46 - Option : [1] --------------------\\ Scan completed at 12:46:05 SmitFraudFix Log SmitFraudFix v2.395 Scan done at 13:23:49.34, Fri 02/13/2009 Run from C:\Documents and Settings\myusername\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode
  9. Here is a detailed description: 1) Problem is happening only in Firefox after the cleanup. IE and opera are fine. 2) In the Google Search located to the right of the address text bar, I type my search (example "cnn") and hit enter 3) In the status bar at the bottom of the screen I see: Transferring "v1.adwarefeed.com" normally I would see www.google.com/search?... 4) The results of the search come back as I would expect the page to look like with several links for cnn. 5) if I move the cursor over the first link, I see in the status bar "www.cnn.com" 6) I click on the link 7) I see in the status bar http://clickfraudmanager.com/check.php?t=c...aster.net/?d=... 8) Then the progress bar on the bottom right starts progressing and the page refreshes and I get a 9) Network Timeout - The server at 76.9.16.147 is taking too long to respond. The requested site did not respond to a connection request and the browser has stopped waiting for a reply. * Could the server be experiencing high demand or a temporary outage? Try again later. * Are you unable to browse other sites? Check the computer's network connection. * Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing. * Still having trouble? Consult your network administrator or Internet provider for assistance. 10) This is an improvement from what I was getting before. Prior to you helping me with the clean up I would be diverted to a page that had nothing to do with cnn. Some form of advertisiment. If I click on the search bar again the the same thing happens Somehow there is something that is controlling the Google Search. I already tried unistalling and reinstalling Firefox but it did not solve the problem. I did a search on the word "adwarefeed" using Opera and found someone else with the same problem http://answers.yahoo.com/question/index?qi...07170607AAlGApz but not knowing the validity of this I am hesitante to follow any of the steps described there. I hope this helps explain the problem. I appreciate you sticking with me and helping resolve this problem. Thanks. PS.: I created a small jpg file with the screen shots.
  10. Problem is still there. What is the best way I can show you what I am getting? I can put together a simple step by step with screen shots if that is the best approach. Please let me know.
  11. NEW MBAM Log Malwarebytes' Anti-Malware 1.34 Database version: 1751 Windows 5.1.2600 Service Pack 3 2/11/2009 8:56:13 PM mbam-log-2009-02-11 (20-56-13).txt Scan type: Quick Scan Objects scanned: 64839 Time elapsed: 4 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HJT Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:00:21 PM, on 2/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\dvd43\dvd43_tray.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Electronic Arts\EADM\Core.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Opera\opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwar\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://portal.kirchman.com/nortel_cacheable/NetDirect.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-c444eb599468fbd1.spaces.live.co...ad/MsnPUpld.cab O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://portal.kirchman.com/nortel_cacheable/iewiper.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 10029 bytes
  12. HijackThis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:30:57 PM, on 2/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\dvd43\dvd43_tray.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Electronic Arts\EADM\Core.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe C:\Program Files\Opera\opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O8 - Extra context menu item: &Search - ?p=ZJfox000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O15 - Trusted Zone: *.portal.meta.com O15 - Trusted Zone: *.portal.meta.com O15 - Trusted Zone: *.portal.meta.com (HKLM) O15 - Trusted Zone: *.portal.meta.com (HKLM) O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://portal.meta.com/nortel_cacheable/NetDirect.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-c444eb599468fbd1.spaces.live.co...ad/MsnPUpld.cab O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://meta.com/nortel_cacheable/iewiper.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 10964 bytes Dr. Web Log RegUBP2b-myusername.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.; vnc-4_1_2-x86_win32(2).exe\data005;C:\Documents and Settings\myusername\Desktop\vnc-4_1_2-x86_win32(2).exe;Program.RemoteAdmin.51;; vnc-4_1_2-x86_win32(2).exe;C:\Documents and Settings\myusername\Desktop;Archive contains infected objects;Moved.; pc_setup.exe\data005;C:\Downloads\PickaProxy\pc_setup.exe;Adware.Uptofind;; pc_setup.exe/data007\data003;C:\Downloads\PickaProxy\pc_setup.exe/data007;Adware.Uptofind;; data007;C:\Downloads\PickaProxy;Archive contains infected objects;; pc_setup.exe;C:\Downloads\PickaProxy;Archive contains infected objects;Moved.; A0364479.reg;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP537;Trojan.StartPage.1505;Deleted.; A0364507.EXE;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP537;Program.PsExec.170;Moved.; A0364694.EXE;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538;Program.PsExec.170;Moved.; A0364749.reg;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538;Trojan.StartPage.1505;Deleted.; A0364750.exe\data005;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538\A0364750.exe;Program.RemoteAdmin.51;; A0364750.exe;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538;Archive contains infected objects;Moved.; A0364751.exe\data005;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538\A0364751.exe;Adware.Uptofind;; A0364751.exe/data007\data003;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538\A0364751.exe/data007;Adware.Uptofind;; data007;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538;Archive contains infected objects;; A0364751.exe;C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP538;Archive contains infected objects;Moved.; Please advise. Many Thanks!!
  13. ComboFix 09-02-08.02 - myusername 2009-02-09 22:40:59.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.1019 [GMT -5:00] Running from: c:\documents and settings\myusername\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\myusername\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\myusername\Local Settings\Temporary Internet Files\fbk.sts c:\windows\emMON.exe c:\windows\system32\_000008_.tmp.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))))) . 2009-02-08 23:25 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2009-02-08 23:22 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2009-02-08 23:22 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2009-02-08 23:10 . 2009-02-08 23:10 631,296 --a------ C:\How to use ComboFix.doc 2009-02-08 18:52 . 2009-02-08 18:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-07 18:55 . 2009-02-07 18:55 <DIR> d-------- c:\program files\Avira 2009-02-07 18:55 . 2009-02-07 18:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-02-07 15:23 . 2009-02-07 15:23 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2009-02-07 12:23 . 2009-02-07 12:23 <DIR> d-------- c:\windows\system32\Adobe 2009-02-06 21:00 . 2009-02-07 12:57 2,204 --a------ c:\windows\dynruope 2009-01-18 22:17 . 2009-01-18 22:18 <DIR> d-------- c:\program files\Malwar 2009-01-18 22:17 . 2009-01-18 22:17 <DIR> d-------- c:\documents and settings\myusername\Application Data\Malwarebytes 2009-01-18 22:17 . 2009-01-18 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-18 22:17 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-18 22:17 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-12 18:31 . 2009-01-12 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-10 01:50 --------- d-----w c:\documents and settings\myusername\Application Data\SPORE 2009-02-09 04:11 --------- d-----w c:\program files\Opera 2009-02-08 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-01 23:24 --------- d-----w c:\documents and settings\myusername\Application Data\Skype 2009-01-31 02:00 --------- d-----w c:\program files\eMule 2009-01-19 20:48 --------- d-----w c:\program files\DivX 2008-12-26 14:20 --------- d-----w c:\documents and settings\myusername\Application Data\Apple Computer 2008-12-25 13:50 --------- d-----w c:\program files\iTunes 2008-12-25 13:50 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-25 13:49 --------- d-----w c:\program files\iPod 2008-12-25 13:47 --------- d-----w c:\program files\Common Files\Apple 2008-12-23 14:58 --------- d-----w c:\documents and settings\myusername\Application Data\MozillaControl 2008-12-23 14:58 --------- d-----w c:\documents and settings\All Users\Application Data\Launcher 2008-12-23 14:58 --------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc 2008-12-22 21:34 --------- d-----w c:\documents and settings\myusername\Application Data\Broad Intelligence 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2007-02-27 00:26 32 -c--a-r c:\documents and settings\All Users\hash.dat 2006-05-31 19:54 24,192 ----a-w c:\documents and settings\myusername\usbsermptxp.sys 2006-05-31 19:54 22,768 ----a-w c:\documents and settings\myusername\usbsermpt.sys 2006-12-27 04:09 8 --sh--r c:\windows\system32\18D1590C37.sys 2006-08-19 15:04 88 --sh--r c:\windows\system32\F5E71FC60A.sys 2008-09-21 01:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-07 3321856] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940] "TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-12-05 114688] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "RTHDCPL"="RTHDCPL.EXE" [2005-11-10 c:\windows\RTHDCPL.exe] "TFncKy"="TFncKy.exe" [bU] "TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VQC2"= vqdecode.dll "VIDC.VQC1"= vqdecode.dll "mixer"= DrvTrNTm.dll "wave"= DrvTrNTm.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43] --a------ 2008-03-01 14:49 826880 c:\program files\dvd43\DVD43_Tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh] --a------ 2005-05-19 10:57 188416 c:\program files\ltmoh\ltmoh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] --a------ 2006-01-19 13:06 11776 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch] --a------ 2005-07-15 13:52 1077322 c:\program files\TOSHIBA\Touch and Launch\PadExe.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger] --a------ 2005-03-17 20:37 151552 c:\toshiba\IVP\ISM\pinger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] --a------ 2005-04-26 19:13 122880 c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler] --a------ 2006-12-05 20:49 114688 c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 2005-10-15 09:29 88203 c:\windows\agrsmmsg.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 V7;V7;c:\windows\system32\drivers\V7.SYS [2006-06-10 7196] S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\MediaCoder\SysInfo.sys --> c:\program files\MediaCoder\SysInfo.sys [?] S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [2006-09-04 112624] S3 EP518P;EZPhone Cam;c:\windows\system32\drivers\ep518vid.sys [2006-09-04 176106] S3 fsbl;F-Secure BlackLight Engine Driver;c:\program files\EMBARQ Online Security\Anti-Virus\fsbldrv.sys [2008-09-06 26208] S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2006-07-02 39048] S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\drivers\islp2nds.sys [2002-10-03 611840] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-04-22 32512] S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [2006-07-03 54083] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d1098c0-0213-11db-b163-0016e303926f}] \Shell\AutoRun\command - e:\__stickydrive\StickyBeta.exe \Shell\StickyDrive\Command - e:\__stickydrive\StickyBeta.exe . Contents of the 'Scheduled Tasks' folder 2009-02-07 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe [] 2009-02-07 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job - c:\program files\MalwareRemovalBot [] 2009-02-08 c:\windows\Tasks\Norton Security Scan for myusername.job - c:\program files\Norton Security Scan\Nss.exe [] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe MSConfigStartUp-YCentral - c:\program files\Yahoo!\YCentral\YahooCentral.exe MSConfigStartUp-ISLP2STA - ISLP2STA.EXE . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: &Search - ?p=ZJfox000 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: portal.kirchman.com Trusted Zone: portal.metavantebanking.com Trusted Zone: musicmatch.com\online Trusted Zone: portal.kirchman.com Trusted Zone: portal.metavantebanking.com DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://portal.kirchman.com/nortel_cacheable/NetDirect.cab DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://portal.kirchman.com/nortel_cacheable/iewiper.cab FF - ProfilePath - c:\documents and settings\myusername\Application Data\Mozilla\Firefox\Profiles\c3plfagf.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\documents and settings\myusername\Application Data\Mozilla\Firefox\Profiles\c3plfagf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-09 22:46:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3225192553-3933798331-355357314-1006\Software\SecuROM\License information*] "datasecu"=hex:e2,09,7a,63,43,c7,be,47,f0,fc,d3,d7,22,b6,3c,aa,97,96,08,ac,96, 3a,7a,a6,69,2b,59,ef,53,bf,5c,08,fc,4c,8c,59,f6,e4,7e,30,1e,64,1d,ab,a3,eb,\ "rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,d8,d9,51,ce,e8, ab,b2,45,e2,63,26,f1,3f,c8,ff,68,37,7a,41,30,92,cf,83,d9,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,60,64,17,d6,76, e0,7e,11,6a,9c,d6,61,af,45,84,18,28,dd,a0,41,52,1f,21,cd,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,dd,6a,c2,cc,bd, e8,0d,01,ff,7c,85,e0,43,d4,0e,fe,9e,7a,75,fd,9b,f6,ca,9d,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,fe,6d,46,c5,29, 66,5a,a1,86,8c,21,01,be,91,eb,e7,e4,6e,b2,39,6f,7f,78,71,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,5a,b8,4f,18,5a, 7b,19,ac,f5,1d,4d,73,a8,13,5c,05,81,4f,a4,4f,80,69,7e,ae,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,71,5a,d2,1a,5c, e7,f8,7d,df,20,58,62,78,6b,cf,c8,ee,ec,c8,7a,19,53,a0,9c,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,d3,79,cb,16,84, 16,76,53,fb,a7,78,e6,12,2f,9a,ea,6a,b0,a7,38,4a,53,01,69,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,3c,66,f7,4f,b0, cc,f5,a1,01,3a,48,fc,e8,04,4a,f1,b0,6f,45,92,bc,c2,ae,13,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,a4,9e,27,43,5e, b8,21,40,f6,0f,4e,58,98,5b,89,c9,7d,6f,6c,72,e0,57,06,58,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,df,d7,b1,62,f7, e5,8c,f8,3d,ce,ea,26,2d,45,aa,78,60,79,4f,bd,e9,40,88,e4,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,c2,c4,44,2e,bf, db,e9,bf,2a,b7,cc,b5,b9,7f,41,e7,ad,c5,25,3e,58,d8,62,e1,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,82,e6,ae,c0,51, 38,35,26,6c,43,2d,1e,aa,22,2f,9c,72,a5,31,ef,8d,34,2e,34,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(688) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\system32\acs.exe c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\DVDRAMSV.exe c:\windows\system32\ati2evxx.exe c:\toshiba\IVP\swupdate\swupdtmr.exe c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe c:\windows\system32\TPSBattM.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-02-09 22:49:48 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-10 03:48:59 Pre-Run: 9,492,934,656 bytes free Post-Run: 9,485,049,856 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 281 --- E O F --- 2009-02-09 04:41:20
  14. Iguess the problem is back. It seemed everything was fine until I did a search and there it went re-directed to a page that had nothing to do with the result from Googgle. I notice that in the bottom of the screen something appears with a link v1-addwarefeed.com with I do the search and clickfraudmanager.com when I actually select the link. I am back where I started...
  15. I went back into both browsers and disabled all my add-ons. That seemed to resolve the problem but my question now is which add-on is the malware causing the problem and why does your product does not detect these types of problems? I am guessing the only thing I can do is start enabiling these things until one gives me tprolbem. Any suggestions?? Thanks in advance.