Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

google re-direct [RESOLVED]


  • This topic is locked This topic is locked

#1
masss

masss

    Member

  • Member
  • PipPip
  • 25 posts
Everytime i go to google and click on a link it redirects me to a different page or it opens a new window opening a different site.
can u help? Thanks.

here is hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:33 AM, on 3/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmkmp.exe] C:\Windows\system32\dmkmp.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: btrklfr - {2CDD5F85-F046-4A14-ADDA-55C8BC267EBA} - C:\Windows\btrklfr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11666 bytes
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi masss

welcome to geekstogo :)

i can see several infections on your machine, but first i want to check to see if there is a smitfraud infection - i suspect there is. we will not solve your problems in this post, but we will be able to start the fix in my following post.


also, do you recognise this address: UkrTeleGroup Ltd. Mechnikova 58/5 , 65029 Odessa, Ukraine? is it your ISP? or your company?


Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

andrewuk
  • 0

#3
masss

masss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
andrewuk,

thanks. no i don't recognize that at all.

here is the report of the smitfraud scan:

SmitFraudFix v2.307

Scan done at 10:39:04.76, Sat 03/22/2008
Run from C:\Users\Mass\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Mass


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Mass\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Mass\FAVORI~1

C:\Users\Mass\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Helper\ FOUND !
C:\Program Files\Sotfone\ FOUND !
C:\Program Files\Video Add-on\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

[!] Suspicious: btrklfr.dll
SSODL: btrklfr - {2CDD5F85-F046-4A14-ADDA-55C8BC267EBA}


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Broadcom 802.11b/g WLAN
DNS Server Search Order: 85.255.113.125
DNS Server Search Order: 85.255.112.159

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: DhcpNameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: DhcpNameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: DhcpNameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.113.125 85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.113.125 85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.113.125 85.255.112.159


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

thanks. no i don't recognize that at all.

ok, we will deal with that in the next post.

i estimtate that this whole fix will take at least 8 more posts from me, possibly more depending how we go. it will most likely take some 4 posts before you cease to be redirected.

in this post we will clear the smitfraud infection that we found in your last reply.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


In your next reply could i see:
1. the raport.txt log
2. a new hijackthis log

andrewuk
  • 0

#5
masss

masss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
andrewuk,

here is the smitfraudfix:
SmitFraudFix v2.307

Scan done at 12:35:57.44, Sat 03/22/2008
Run from C:\Users\Mass\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\Windows\btrklfr.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Users\Mass\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Helper\ Deleted
C:\Program Files\Sotfone\ Deleted
C:\Program Files\Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: DhcpNameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: DhcpNameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: DhcpNameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer=85.255.113.125,85.255.112.159
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.113.125 85.255.112.159
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.113.125 85.255.112.159
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.116.2.50 24.116.2.34
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.113.125 85.255.112.159


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End





here is the hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:33 AM, on 3/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmkmp.exe] C:\Windows\system32\dmkmp.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: btrklfr - {2CDD5F85-F046-4A14-ADDA-55C8BC267EBA} - C:\Windows\btrklfr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11666 bytes



thanks,
masss
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load (could take a very long time); this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

andrewuk
  • 0

#7
masss

masss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
andrewuk,

it doesn't seem to be working. I saved it to my desktop and ran it. It prompted me twice with 'press any key to continue' and that was it. i tried to reboot my computer but that did nothing.

masss
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets move on to the next part, i can sort that infection out manually in the following post.

in this post we will target some trojans and get a deeper scan of your machine.


====STEP 1====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum


====STEP 2====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


In your next reply could i see:
1. the report.txt log
2. the 2 DSS logs (though there may only be one).

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#9
masss

masss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
when i click on the RunThis.bat it opens for a second and then dissappears.

masss
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

when i click on the RunThis.bat it opens for a second and then dissappears.

i am assuming you were in safe mode?

if so, lets try this:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

Advertisements


#11
masss

masss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
here is the combofix log:


ComboFix 08-03-22.1 - Mass 2008-03-22 14:37:25.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1129 [GMT -6:00]
Running from: C:\Users\Mass\Documents\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\SeekmoSA
C:\ProgramData\SeekmoSA\SeekmoSA.dat
C:\ProgramData\SeekmoSA\SeekmoSA_kyf_update.dat
C:\ProgramData\SeekmoSA\SeekmoSAAbout.mht
C:\ProgramData\SeekmoSA\SeekmoSAau.dat
C:\ProgramData\SeekmoSA\SeekmoSAEULA.mht
C:\Users\Mass\AppData\Roaming\Seekmo

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 21:49 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-03-22 19:03 --------- d-----w C:\ProgramData\Symantec
2008-03-22 18:36 691 ----a-w C:\Users\Mass\AppData\Roaming\GetValue.vbs
2008-03-22 18:36 6,458 ----a-w C:\Windows\System32\tmp.reg
2008-03-22 18:36 35 ----a-w C:\Users\Mass\AppData\Roaming\SetValue.bat
2008-03-22 18:11 --------- d-----w C:\Users\Mass\AppData\Roaming\Skype
2008-03-22 16:35 --------- d-----w C:\Users\Mass\AppData\Roaming\skypePM
2008-03-22 06:11 --------- d-----w C:\Program Files\Trend Micro
2008-03-22 03:10 --------- d-----w C:\Users\Mass\AppData\Roaming\Move Networks
2008-03-21 20:06 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-21 20:06 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-21 20:04 --------- d-----w C:\ProgramData\Skype
2008-03-21 20:04 --------- d-----w C:\Program Files\Skype
2008-03-21 20:04 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-21 17:46 --------- d-----w C:\Program Files\Google
2008-03-15 23:16 82,432 ----a-w C:\Windows\System32\IEDFix.exe
2008-03-12 22:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-12 20:28 27,240 ----a-w C:\Users\Mass\AppData\Roaming\nvModes.dat
2008-03-12 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 20:01 --------- d-----w C:\Program Files\Vernier Software
2008-03-12 20:01 --------- d-----w C:\Program Files\Common Files\Vernier Software
2008-03-12 14:51 --------- d-----w C:\Program Files\Windows Mail
2008-03-09 23:09 --------- d-----w C:\Users\Mass\AppData\Roaming\Uniblue
2008-03-09 23:09 --------- d-----w C:\Program Files\Uniblue
2008-03-03 19:10 81,920 ----a-w C:\Windows\fqspogw.exe
2008-02-14 10:11 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-14 10:11 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-14 10:06 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-14 10:06 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-14 10:06 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-14 10:06 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-14 10:06 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-14 10:06 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-14 10:06 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-14 10:05 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-14 10:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 10:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 10:05 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 10:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 10:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 10:05 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-14 10:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 10:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 10:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-14 10:05 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-14 10:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-14 10:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-14 10:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-14 10:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-12 02:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 21:06 --------- d-----w C:\Users\Mass\AppData\Roaming\Printer Info Cache
2008-02-09 21:06 --------- d-----w C:\Users\Mass\AppData\Roaming\Image Zone Express
2008-02-09 20:50 --------- d-----w C:\ProgramData\HP
2008-02-09 19:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-29 19:40 --------- d-----w C:\ProgramData\Microsoft Help
2008-01-29 19:40 --------- d-----w C:\Program Files\Microsoft Works
2008-01-27 00:05 --------- d-----w C:\ProgramData\WildTangent
2008-01-26 23:51 --------- d-----w C:\ProgramData\Roxio
2008-01-26 23:51 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-26 23:44 --------- d-----w C:\Program Files\Roxio
2008-01-26 23:38 --------- d-----w C:\Users\Mass\AppData\Roaming\Roxio
2008-01-26 23:38 --------- d-----w C:\ProgramData\Sonic
2008-01-26 23:29 --------- d-----w C:\Users\Mass\AppData\Roaming\Hewlett-Packard
2008-01-26 23:24 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-01-26 23:23 --------- d-----w C:\Users\Mass\AppData\Roaming\InstallShield
2008-01-26 20:27 39,936 ----a-w C:\Windows\System32\dwmapi.dll
2008-01-26 20:27 2,016,256 ----a-w C:\Windows\System32\milcore.dll
2008-01-26 20:25 132,864 ----a-w C:\Windows\system32\drivers\usbvideo.sys
2008-01-26 20:21 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv6500 Notebook PC_Y5335KV_0U_QCNF7424C98_E445841-003_4A_I30CF_SQuanta_V85.17_F.07_T070809_WV3-0_L409_M1983_J80_7AMD_8F81_91.90_#071025_N10DE054C;14E44311_(RS041AV)_XMOBILE_CN
10_Z_2Rev 1.MRK
2008-01-24 01:52 --------- d-----w C:\Program Files\CONEXANT
2008-01-23 04:28 --------- d-----w C:\Users\Mass\AppData\Roaming\Apple Computer
2008-01-23 04:28 --------- d-----w C:\ProgramData\Apple Computer
2008-01-23 04:28 --------- d-----w C:\Program Files\iTunes
2008-01-23 04:28 --------- d-----w C:\Program Files\iPod
2008-01-23 04:27 --------- d-----w C:\Program Files\QuickTime
2008-01-23 04:27 --------- d-----w C:\Program Files\Bonjour
2008-01-23 04:26 --------- d-----w C:\Program Files\Apple Software Update
2008-01-23 04:25 --------- d-----w C:\ProgramData\Apple
2008-01-23 04:25 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-23 04:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-23 04:13 --------- d-----w C:\Program Files\Windows Live
2008-01-23 04:07 --------- d-----w C:\ProgramData\WLInstaller
2008-01-10 15:32 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 05:50 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-10-29 22:21 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-30 23:00 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 09:32 1232896]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 14:26 484904]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 16:23 1773568]
"Speech Recognition"="C:\Windows\Speech\Common\sapisvr.exe" [2006-11-02 03:45 49664]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-01-15 19:38 2321600]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"dmyht.tmp"="C:\Windows\system32\dmyht.tmp" [ ]
"dmlid.tmp"="C:\Windows\system32\dmlid.tmp" [ ]
"dmljr.tmp"="C:\Windows\system32\dmljr.tmp" [ ]
"dmpju.tmp"="C:\Windows\system32\dmpju.tmp" [ ]
"dmigc.tmp"="C:\Windows\system32\dmigc.tmp" [ ]
"dmnow.tmp"="C:\Windows\system32\dmnow.tmp" [ ]
"dmfbe.tmp"="C:\Windows\system32\dmfbe.tmp" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-04 03:57 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 21:36 827392]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 19:11 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 12:38 159744]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-08 20:57 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-08 20:57 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-08 20:57 81920]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 14:18 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 17:12 317128]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-04 05:36 77824]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" [2007-08-23 14:35 152952]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"dmkmp.exe"="C:\Windows\system32\dmkmp.exe" [2007-11-14 04:02 55808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 13:11:50 719664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1118663F-A665-47D8-A3C4-FF9130B4824C}"= Disabled:UDP:C:\Users\Mass\AppData\Local\Temp\7zS53C0.tmp\setup\HPZnui01.exe:hpznui01.exe
"{94B750F1-38AB-43C2-BF86-26353E73DE81}"= Disabled:TCP:C:\Users\Mass\AppData\Local\Temp\7zS53C0.tmp\setup\HPZnui01.exe:hpznui01.exe
"{44E8E4C6-270F-44BB-AF97-4F222198210B}"= Disabled:UDP:C:\Users\Mass\AppData\Local\Temp\7zS36E7.tmp\setup\HPZnui01.exe:hpznui01.exe
"{F6587D8F-AAFF-47DD-AF13-BD5874EC79E4}"= Disabled:TCP:C:\Users\Mass\AppData\Local\Temp\7zS36E7.tmp\setup\HPZnui01.exe:hpznui01.exe
"{4C8D73F3-01F3-4C0D-A3B7-B6C1583D045C}"= UDP:C:\Users\Mass\AppData\Roaming\Facebook\facebook.exe:Facebook
"{27CA0731-FB67-4ACB-A32B-434489F05016}"= TCP:C:\Users\Mass\AppData\Roaming\Facebook\facebook.exe:Facebook
"{F930CCC5-98C7-45F0-9583-FDF888F8D818}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{648B998F-35B5-4911-B986-B704D83EB562}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{86588C8C-7EAD-424F-AD8A-ECB5F90947FD}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{C3B91B4B-DC3F-41A4-9B7B-87453F689D67}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{77BFFF8D-4E46-4E86-8C99-877530A8DD72}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{315ED18D-46E1-4E96-88D3-0C99055A2FD6}"= Disabled:UDP:C:\Users\Mass\AppData\Local\Temp\7zS3553.tmp\setup\HPZnui01.exe:hpznui01.exe
"{61D411F3-F38A-416C-AB9E-9BDCDEA071E1}"= Disabled:TCP:C:\Users\Mass\AppData\Local\Temp\7zS3553.tmp\setup\HPZnui01.exe:hpznui01.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080314.001\IDSvix86.sys [2008-02-13 10:18]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2006-11-02 03:45]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-04-18 02:51]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-04-18 02:51]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-04-18 02:51]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 17:50]
R3 SymIMMP;SymIMMP;C:\Windows\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-08-13 14:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-01-03 09:43]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-01-12 19:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\Windows\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 03:03:21 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Mass.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-03-20 04:45:12 C:\Windows\Tasks\WebReg Photosmart 2600 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 14:40:25
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-22 14:41:14
ComboFix-quarantined-files.txt 2008-03-22 20:41:11
.
2008-03-14 09:05:21 --- E O F ---




here is the hijack this scan:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:33 AM, on 3/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmkmp.exe] C:\Windows\system32\dmkmp.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: btrklfr - {2CDD5F85-F046-4A14-ADDA-55C8BC267EBA} - C:\Windows\btrklfr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11666 bytes


masss
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
====STEP 1====

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O4 - HKLM\..\Run: [dmkmp.exe] C:\Windows\system32\dmkmp.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O21 - SSODL: btrklfr - {2CDD5F85-F046-4A14-ADDA-55C8BC267EBA} - C:\Windows\btrklfr.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\Video Add-on\isfmdl.dll
C:\Windows\system32\dmkmp.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\Windows\btrklfr.dll
C:\Windows\fqspogw.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmyht.tmp"=-
"dmlid.tmp"=-
"dmljr.tmp"=-
"dmpju.tmp"=-
"dmigc.tmp"=-
"dmnow.tmp"=-
"dmfbe.tmp"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#13
masss

masss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
not all of the entries are in the window and i can't find them to tick the boxes, but they're still in the notepad report.
I can only get rid of
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
and
O4 - HKLM\..\Run: [dmkmp.exe] C:\Windows\system32\dmkmp.exe

there are extra ones which do not show up on the notepad report as well

masss

Edited by masss, 22 March 2008 - 06:23 PM.

  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
follow through the instructions as best you can and post the combofix log and hijackthis log when done please
  • 0

#15
masss

masss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
here is combofix

ComboFix 08-03-22.1 - Mass 2008-03-22 18:52:38.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1043 [GMT -6:00]
Running from: C:\Users\Mass\Documents\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Video Add-on\isfmdl.dll
C:\Program Files\Video Add-on\isfmntr.exe
C:\Windows\btrklfr.dll
C:\Windows\fqspogw.exe
C:\Windows\system32\dmkmp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\fqspogw.exe
C:\Windows\system32\dmkmp.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 00:17 --------- d-----w C:\ProgramData\Symantec
2008-03-23 00:14 --------- d-----w C:\Users\Mass\AppData\Roaming\Skype
2008-03-22 21:49 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-03-22 18:36 691 ----a-w C:\Users\Mass\AppData\Roaming\GetValue.vbs
2008-03-22 18:36 6,458 ----a-w C:\Windows\System32\tmp.reg
2008-03-22 18:36 35 ----a-w C:\Users\Mass\AppData\Roaming\SetValue.bat
2008-03-22 16:35 --------- d-----w C:\Users\Mass\AppData\Roaming\skypePM
2008-03-22 06:11 --------- d-----w C:\Program Files\Trend Micro
2008-03-22 03:10 --------- d-----w C:\Users\Mass\AppData\Roaming\Move Networks
2008-03-21 20:06 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-21 20:06 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-21 20:04 --------- d-----w C:\ProgramData\Skype
2008-03-21 20:04 --------- d-----w C:\Program Files\Skype
2008-03-21 20:04 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-21 17:46 --------- d-----w C:\Program Files\Google
2008-03-15 23:16 82,432 ----a-w C:\Windows\System32\IEDFix.exe
2008-03-12 22:10 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-12 20:28 27,240 ----a-w C:\Users\Mass\AppData\Roaming\nvModes.dat
2008-03-12 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 20:01 --------- d-----w C:\Program Files\Vernier Software
2008-03-12 20:01 --------- d-----w C:\Program Files\Common Files\Vernier Software
2008-03-12 14:51 --------- d-----w C:\Program Files\Windows Mail
2008-03-09 23:09 --------- d-----w C:\Users\Mass\AppData\Roaming\Uniblue
2008-03-09 23:09 --------- d-----w C:\Program Files\Uniblue
2008-02-14 10:11 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-14 10:11 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-14 10:06 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-14 10:06 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-14 10:06 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-14 10:06 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-14 10:06 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-14 10:06 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-14 10:06 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-14 10:05 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-14 10:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 10:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 10:05 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 10:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 10:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 10:05 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-14 10:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 10:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 10:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-14 10:05 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-14 10:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-14 10:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-14 10:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-14 10:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-12 02:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 21:06 --------- d-----w C:\Users\Mass\AppData\Roaming\Printer Info Cache
2008-02-09 21:06 --------- d-----w C:\Users\Mass\AppData\Roaming\Image Zone Express
2008-02-09 20:50 --------- d-----w C:\ProgramData\HP
2008-02-09 19:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-29 19:40 --------- d-----w C:\ProgramData\Microsoft Help
2008-01-29 19:40 --------- d-----w C:\Program Files\Microsoft Works
2008-01-27 00:05 --------- d-----w C:\ProgramData\WildTangent
2008-01-26 23:51 --------- d-----w C:\ProgramData\Roxio
2008-01-26 23:51 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-26 23:44 --------- d-----w C:\Program Files\Roxio
2008-01-26 23:38 --------- d-----w C:\Users\Mass\AppData\Roaming\Roxio
2008-01-26 23:38 --------- d-----w C:\ProgramData\Sonic
2008-01-26 23:29 --------- d-----w C:\Users\Mass\AppData\Roaming\Hewlett-Packard
2008-01-26 23:24 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-01-26 23:23 --------- d-----w C:\Users\Mass\AppData\Roaming\InstallShield
2008-01-26 20:27 39,936 ----a-w C:\Windows\System32\dwmapi.dll
2008-01-26 20:27 2,016,256 ----a-w C:\Windows\System32\milcore.dll
2008-01-26 20:25 132,864 ----a-w C:\Windows\system32\drivers\usbvideo.sys
2008-01-26 20:21 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv6500 Notebook PC_Y5335KV_0U_QCNF7424C98_E445841-003_4A_I30CF_SQuanta_V85.17_F.07_T070809_WV3-0_L409_M1983_J80_7AMD_8F81_91.90_#071025_N10DE054C;14E44311_(RS041AV)_XMOBILE_CN
10_Z_2Rev 1.MRK
2008-01-24 01:52 --------- d-----w C:\Program Files\CONEXANT
2008-01-23 04:28 --------- d-----w C:\Users\Mass\AppData\Roaming\Apple Computer
2008-01-23 04:28 --------- d-----w C:\ProgramData\Apple Computer
2008-01-23 04:28 --------- d-----w C:\Program Files\iTunes
2008-01-23 04:28 --------- d-----w C:\Program Files\iPod
2008-01-23 04:27 --------- d-----w C:\Program Files\QuickTime
2008-01-23 04:27 --------- d-----w C:\Program Files\Bonjour
2008-01-23 04:26 --------- d-----w C:\Program Files\Apple Software Update
2008-01-23 04:25 --------- d-----w C:\ProgramData\Apple
2008-01-23 04:25 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-23 04:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-23 04:13 --------- d-----w C:\Program Files\Windows Live
2008-01-23 04:07 --------- d-----w C:\ProgramData\WLInstaller
2008-01-10 15:32 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 05:50 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-10-29 22:21 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( [email protected]_14.40.59.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-22 20:12:52 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-03-23 00:02:06 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-03-22 20:30:52 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-22 20:12:58 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-22 20:30:52 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-22 20:12:58 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-22 20:30:52 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-22 20:12:58 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-22 20:18:13 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-03-23 00:04:32 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-03-22 20:18:13 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-03-23 00:04:32 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-03-22 16:35:36 339,698 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-03-23 00:02:14 340,480 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-30 23:00 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 09:32 1232896]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 14:26 484904]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 16:23 1773568]
"Speech Recognition"="C:\Windows\Speech\Common\sapisvr.exe" [2006-11-02 03:45 49664]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-01-15 19:38 2321600]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-04 03:57 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 21:36 827392]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 19:11 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 12:38 159744]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-08 20:57 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-08 20:57 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-08 20:57 81920]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 14:18 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 17:12 317128]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-04 05:36 77824]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" [2007-08-23 14:35 152952]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"dmkmp.exe"="C:\Windows\system32\dmkmp.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 13:11:50 719664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1118663F-A665-47D8-A3C4-FF9130B4824C}"= Disabled:UDP:C:\Users\Mass\AppData\Local\Temp\7zS53C0.tmp\setup\HPZnui01.exe:hpznui01.exe
"{94B750F1-38AB-43C2-BF86-26353E73DE81}"= Disabled:TCP:C:\Users\Mass\AppData\Local\Temp\7zS53C0.tmp\setup\HPZnui01.exe:hpznui01.exe
"{44E8E4C6-270F-44BB-AF97-4F222198210B}"= Disabled:UDP:C:\Users\Mass\AppData\Local\Temp\7zS36E7.tmp\setup\HPZnui01.exe:hpznui01.exe
"{F6587D8F-AAFF-47DD-AF13-BD5874EC79E4}"= Disabled:TCP:C:\Users\Mass\AppData\Local\Temp\7zS36E7.tmp\setup\HPZnui01.exe:hpznui01.exe
"{4C8D73F3-01F3-4C0D-A3B7-B6C1583D045C}"= UDP:C:\Users\Mass\AppData\Roaming\Facebook\facebook.exe:Facebook
"{27CA0731-FB67-4ACB-A32B-434489F05016}"= TCP:C:\Users\Mass\AppData\Roaming\Facebook\facebook.exe:Facebook
"{F930CCC5-98C7-45F0-9583-FDF888F8D818}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{648B998F-35B5-4911-B986-B704D83EB562}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{86588C8C-7EAD-424F-AD8A-ECB5F90947FD}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{C3B91B4B-DC3F-41A4-9B7B-87453F689D67}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{77BFFF8D-4E46-4E86-8C99-877530A8DD72}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{315ED18D-46E1-4E96-88D3-0C99055A2FD6}"= Disabled:UDP:C:\Users\Mass\AppData\Local\Temp\7zS3553.tmp\setup\HPZnui01.exe:hpznui01.exe
"{61D411F3-F38A-416C-AB9E-9BDCDEA071E1}"= Disabled:TCP:C:\Users\Mass\AppData\Local\Temp\7zS3553.tmp\setup\HPZnui01.exe:hpznui01.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080314.001\IDSvix86.sys [2008-02-13 10:18]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2006-11-02 03:45]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-04-18 02:51]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-04-18 02:51]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-04-18 02:51]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 17:50]
R3 SymIMMP;SymIMMP;C:\Windows\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-08-13 14:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-01-03 09:43]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-01-12 19:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\Windows\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 03:03:21 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Mass.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-03-20 04:45:12 C:\Windows\Tasks\WebReg Photosmart 2600 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 18:54:12
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-22 18:54:56
ComboFix-quarantined-files.txt 2008-03-23 00:54:53
ComboFix2.txt 2008-03-22 20:41:15
.
2008-03-14 09:05:21 --- E O F ---



here is hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:33 AM, on 3/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmkmp.exe] C:\Windows\system32\dmkmp.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFA67A6-D31E-4EF2-BCD6-687370BBA240}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDFA8022-A9AD-4782-B31A-6A692463E5FD}: NameServer = 85.255.113.125,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.125 85.255.112.159
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: btrklfr - {2CDD5F85-F046-4A14-ADDA-55C8BC267EBA} - C:\Windows\btrklfr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11666 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP