Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

have google redirect virus ... I think ... very frustrated [Solved]

Started by FrustratedMel , Nov 30 2009 01:27 PM

  • This topic is locked This topic is locked

#1
FrustratedMel
Posted 30 November 2009 - 01:27 PM

FrustratedMel

    New Member

  • Member
  • Pip
  • 7 posts
I can't do any google searches with Mozilla or IE, I get redirected to random pages ... can't even hit back, that doesn't help.

I have run malwarebytes, a few times .... sometimes it finds something & removes it but it still happens.
I have also run Superantispyware, spybot, adaware & have avast .... nothing is removing it.

I have a hijack log which I ran before doing combofix (which I prob shouldn't have done)... I also have that log. If I need an after combofix hijack log I can get one.

I tried Sdfix but computer will NOT go into safe mode.

Sorry so long.

Thanks.

Hijack log (before combofix was run)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:21 AM, on 11/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6436
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [umecw] C:/Documents and Settings/Owner/My Documents//pdytvfq.exe
O4 - HKCU\..\Run: [vdylm] C:/Documents and Settings/Owner/My Documents//cygfnbk.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8381 bytes

combofix log ... (it says I don't have recovery console but I do)

ComboFix 09-11-29.06 - Owner 11/30/2009 12:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.177 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091130-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3455969258-1571112435-3215755716-1003
c:\windows\MailSwitch.ocx
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\qzkjdieh.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\muzapp.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OEEGGJEL
-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 08:32 . 2009-11-30 08:32 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-30 08:31 . 2009-11-30 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-30 08:31 . 2009-11-30 08:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 08:31 . 2009-11-30 08:31 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-30 08:30 . 2009-11-30 08:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-30 07:04 . 2008-11-06 08:03 -------- d-----w- C:\SDFix
2009-11-30 06:13 . 2009-11-30 04:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-30 04:09 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-30 04:09 . 2009-11-30 04:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-30 04:09 . 2009-11-30 04:09 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-30 04:05 . 2009-11-30 04:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-30 04:05 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-27 15:50 . 2009-11-27 15:50 57344 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL
2009-11-27 15:50 . 2009-11-27 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-27 03:04 . 2009-11-27 03:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-11-01 03:53 . 2004-11-13 01:27 598288 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\oleaut32.dll
2009-11-01 03:53 . 2004-11-13 01:27 4608 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\W95INF32.DLL
2009-11-01 03:53 . 2004-11-13 01:27 2272 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\W95INF16.DLL
2009-11-01 03:53 . 2004-11-13 01:27 164112 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\olepro32.dll
2009-11-01 03:53 . 2006-07-14 00:57 382976 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\mVBExec.dll
2009-11-01 03:53 . 2004-11-13 01:27 74960 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\ADVPACK.DLL
2009-11-01 03:53 . 2004-11-13 01:27 22288 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\comcat.dll
2009-11-01 03:53 . 2004-11-13 01:27 147728 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\asycfilt.dll
2009-11-01 03:53 . 2004-11-13 01:27 1386496 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\msvbvm60.dll
2009-11-01 03:53 . 2009-11-01 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 04:09 . 2009-11-30 04:08 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-30 04:04 . 2008-08-06 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-30 04:04 . 2006-11-28 21:33 -------- d-----w- c:\program files\Lavasoft
2009-11-27 15:40 . 2008-11-18 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 15:20 . 2009-03-27 20:50 4045527 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-27 08:51 . 2006-11-28 21:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 08:27 . 2008-07-06 04:55 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-27 08:12 . 2009-10-20 19:26 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-10-22 23:04 . 2009-11-01 03:52 3579904 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\59F37AFC\8917324D\BMP.exe
2009-10-20 19:22 . 2009-10-20 19:22 -------- d-----w- c:\program files\VideoLAN
2009-10-02 02:42 . 2006-04-22 14:40 -------- d-----w- c:\program files\Google
2009-09-27 00:36 . 2009-11-19 20:33 162616 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-09-16 03:59 . 2009-11-01 03:52 1411584 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\3D2919A7\32F7A4D1\AdjMmsEng.dll
2009-09-10 20:54 . 2008-11-18 01:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2008-11-18 01:35 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-11-27 15:50 57344 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WinPodder.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\WinPodder.lnk
backup=c:\windows\pss\WinPodder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"btwdins"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Schedule"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9561:TCP"= 9561:TCP:spport
"16253:TCP"= 16253:TCP:spport
"23163:TCP"= 23163:TCP:spport
"14920:TCP"= 14920:TCP:spport
"25712:TCP"= 25712:TCP:spport
"8354:TCP"= 8354:TCP:spport
"18519:TCP"= 18519:TCP:spport
"29807:TCP"= 29807:TCP:spport
"22871:TCP"= 22871:TCP:spport
"23958:TCP"= 23958:TCP:spport

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/29/2009 10:09 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 7:20 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 7:20 PM 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [4/22/2006 8:34 AM 200576]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S2 oeeggjel;oeeggjel;\??\c:\windows\system32\drivers\qzkjdieh.sys --> c:\windows\system32\drivers\qzkjdieh.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
netsvc REG_MULTI_SZ SPService
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 04:08]

2007-03-31 c:\windows\Tasks\FRU Task 2002-12-04 03:40ewlett-Packard2002-12-04 03:40p officejet 6100 series324C9EBEBB389A3CB37E16C7992E8342068F8B15165535326.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-04 01:40]

2006-06-05 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6436
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djg6g9lj.default\
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-umecw - C:/Documents and Settings/Owner/My Documents//pdytvfq.exe
HKCU-Run-vdylm - C:/Documents and Settings/Owner/My Documents//cygfnbk.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Broadcom 802.11b Network Adapter - c:\windows\system32\BCMWLU00.exe verbose
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 12:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84526369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e2fc3
\Driver\ACPI -> ACPI.sys @ 0xf74f5cb8
\Driver\atapi -> atapi.sys @ 0xf74777b4
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80576ec4
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80576ec4
NDIS: Broadcom 802.11g Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf732bba0
PacketIndicateHandler -> NDIS.sys @ 0xf7338b21
SendHandler -> NDIS.sys @ 0xf731687b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1972)
c:\documents and settings\all users\application data\sp\sp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-30 13:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 19:06

Pre-Run: 19,749,818,368 bytes free
Post-Run: 19,736,072,192 bytes free

- - End Of File - - 5AF345E5264622482C530B1BBDDADDD9
  • 0

Advertisements

#2
Essexboy
Posted 30 November 2009 - 02:10 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there we no longer use Hijackthis as it does not provide sufficient data

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following:netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post



THEN

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

  • 0

#3
FrustratedMel
Posted 30 November 2009 - 02:40 PM

FrustratedMel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
scans

Attached File  OTS.Txt   148.88KB   166 downloads

Attached File  rootrepeal.txt   4.77KB   153 downloads

Edited by FrustratedMel, 30 November 2009 - 02:41 PM.

  • 0

#4
Essexboy
Posted 30 November 2009 - 03:08 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK a few elements to kill there - could you let me know if you still get redirects after this

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YY -> (SPService) SPService [Auto | Running] -> C:\Documents and Settings\All Users\Application Data\SP\sp.DLL
[Driver Services - Safe List]
YY -> (catchme) catchme [Kernel | On_Demand | Running] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: SearchURL\\"provider" -> gogl
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: SearchURL\\"provider" -> gogl
[Files/Folders - Created Within 30 Days]
NY ->  SP -> C:\Documents and Settings\All Users\Application Data\SP
[Files/Folders - Modified Within 30 Days]
NY ->  3jp80efj.exe -> C:\Documents and Settings\Owner\Desktop\3jp80efj.exe
[Custom Items]
:files
C:\DOCUME~1\Owner\LOCALS~1\Temp\kgnoakob.sys
:end
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#5
FrustratedMel
Posted 30 November 2009 - 03:34 PM

FrustratedMel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OTS fix log

Attached File  OTSclean.txt   4.69KB   99 downloads


It is still redirecting me & giving me the extra tabs too.

New OTS log .... I put in the same settings you gave above for the first scan.

Attached File  OTS.Txt2.txt   147.92KB   140 downloads
  • 0

#6
Essexboy
Posted 30 November 2009 - 04:34 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK there are two files that I would like to check out

  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under custom scans copy and paste the following
    • /md5start
      ACPI.sys
      CLASSPNP.SYS
      /md5stop
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
  • 0

#7
FrustratedMel
Posted 30 November 2009 - 04:52 PM

FrustratedMel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
latest scan

Attached File  OTS.Txt_new.txt   120.27KB   147 downloads
  • 0

#8
Essexboy
Posted 30 November 2009 - 04:56 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Well those are clean

Please run Combofix again and allow it to update - I will need to look at the MBR section afresh
  • 0

#9
FrustratedMel
Posted 30 November 2009 - 05:39 PM

FrustratedMel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Even though I have recovery/restore I went ahead & let it install it & it said it detected a rootkit & needed to reboot ... then it scanned, here's the new log.

New log

Attached File  log_new.txt   16.15KB   182 downloads


EDIT: ...
It SEEMS to be working now ... no redirects yet.

Thanks so much ... you're awesome.

ComboFix 09-11-30.02 - Owner 11/30/2009 17:11.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.51 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091130-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 21:13 . 2009-11-30 21:13 -------- d-----w- C:\_OTS
2009-11-30 08:32 . 2009-11-30 08:32 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-30 08:31 . 2009-11-30 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-30 08:31 . 2009-11-30 08:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 08:31 . 2009-11-30 08:31 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-30 08:30 . 2009-11-30 08:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-30 07:04 . 2008-11-06 08:03 -------- d-----w- C:\SDFix
2009-11-30 06:13 . 2009-11-30 04:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-30 04:09 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-30 04:09 . 2009-11-30 04:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-30 04:09 . 2009-11-30 04:09 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-30 04:05 . 2009-11-30 04:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-30 04:05 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-27 03:04 . 2009-11-27 03:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-11-01 03:53 . 2004-11-13 01:27 598288 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\oleaut32.dll
2009-11-01 03:53 . 2004-11-13 01:27 4608 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\W95INF32.DLL
2009-11-01 03:53 . 2004-11-13 01:27 2272 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\W95INF16.DLL
2009-11-01 03:53 . 2004-11-13 01:27 164112 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\olepro32.dll
2009-11-01 03:53 . 2006-07-14 00:57 382976 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\mVBExec.dll
2009-11-01 03:53 . 2004-11-13 01:27 74960 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\ADVPACK.DLL
2009-11-01 03:53 . 2004-11-13 01:27 22288 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\comcat.dll
2009-11-01 03:53 . 2004-11-13 01:27 147728 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\asycfilt.dll
2009-11-01 03:53 . 2004-11-13 01:27 1386496 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\WinRun6-SP6\mVB.dll\msvbvm60.dll
2009-11-01 03:53 . 2009-11-01 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 04:09 . 2009-11-30 04:08 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-30 04:04 . 2008-08-06 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-30 04:04 . 2006-11-28 21:33 -------- d-----w- c:\program files\Lavasoft
2009-11-27 15:40 . 2008-11-18 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 15:20 . 2009-03-27 20:50 4045527 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-27 08:51 . 2006-11-28 21:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 08:27 . 2008-07-06 04:55 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-27 08:12 . 2009-10-20 19:26 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-10-22 23:04 . 2009-11-01 03:52 3579904 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\59F37AFC\8917324D\BMP.exe
2009-10-20 19:22 . 2009-10-20 19:22 -------- d-----w- c:\program files\VideoLAN
2009-10-02 02:42 . 2006-04-22 14:40 -------- d-----w- c:\program files\Google
2009-09-27 00:36 . 2009-11-19 20:33 162616 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-09-16 03:59 . 2009-11-01 03:52 1411584 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\3D2919A7\32F7A4D1\AdjMmsEng.dll
2009-09-10 20:54 . 2008-11-18 01:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2008-11-18 01:35 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-30_18.51.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 23:08 . 2009-11-30 23:08 16384 c:\windows\Temp\Perflib_Perfdata_160.dat
+ 2004-08-26 18:07 . 2009-11-30 21:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2009-11-30 18:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-26 18:07 . 2009-11-30 21:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-26 18:07 . 2009-11-30 18:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WinPodder.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\WinPodder.lnk
backup=c:\windows\pss\WinPodder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"btwdins"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Schedule"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9561:TCP"= 9561:TCP:spport
"16253:TCP"= 16253:TCP:spport
"23163:TCP"= 23163:TCP:spport
"14920:TCP"= 14920:TCP:spport
"25712:TCP"= 25712:TCP:spport
"8354:TCP"= 8354:TCP:spport
"18519:TCP"= 18519:TCP:spport
"29807:TCP"= 29807:TCP:spport
"22871:TCP"= 22871:TCP:spport
"23958:TCP"= 23958:TCP:spport

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/29/2009 10:09 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 7:20 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 7:20 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [4/22/2006 8:34 AM 200576]
S2 oeeggjel;oeeggjel;\??\c:\windows\system32\drivers\qzkjdieh.sys --> c:\windows\system32\drivers\qzkjdieh.sys [?]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [8/26/2004 10:12 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
netsvc REG_MULTI_SZ SPService K
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 04:08]

2007-03-31 c:\windows\Tasks\FRU Task 2002-12-04 03:40ewlett-Packard2002-12-04 03:40p officejet 6100 series324C9EBEBB389A3CB37E16C7992E8342068F8B15165535326.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-04 01:40]

2006-06-05 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6436
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djg6g9lj.default\
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - c:\documents and settings\all users\application data\sp\sp.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-11-30 17:33
ComboFix-quarantined-files.txt 2009-11-30 23:32
ComboFix2.txt 2009-11-30 19:06

Pre-Run: 19,718,729,728 bytes free
Post-Run: 19,700,568,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - FB7E9E9C5222C9E5386FF655729BBB19

Edited by Essexboy, 01 December 2009 - 12:21 PM.

  • 0

#10
Essexboy
Posted 01 December 2009 - 12:23 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks good now - it killed the infector file that time :)

One final sweep for orphans and if all is good I will remove my tools and let you go

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • 0

#11
FrustratedMel
Posted 01 December 2009 - 01:45 PM

FrustratedMel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks.

Log
Attached File  mbam_log_2009_12_01__13_42_03_.txt   834bytes   163 downloads
  • 0

#12
Essexboy
Posted 01 December 2009 - 01:53 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Now that was pretty :)

Subject to no further problems

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.


XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


SPRING CLEAN

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#13
FrustratedMel
Posted 01 December 2009 - 04:40 PM

FrustratedMel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you so much, you're awesome.
  • 0

#14
Essexboy
Posted 01 December 2009 - 05:18 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP