Virus/redirects/random audio ads

steve865 · 04-19-2011, 05:04 PM

I got the Windows Recovery virus a few days ago, and have tried getting rid of the problem through several different avenues. While it seems like the virus is gone there are several things still occurring that lead me to believe otherwise.

-random redirects on google
-internet explorer script errors (i use firefox and don't even have IE on my computer, to my knowledge)
-audio ads and infomercials when no programs are running

Here are my logs:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Admin at 16:40:57.37 on Tue 04/19/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1428 [GMT -5:00]
.
AV: avast! antivirus 4.8.1335 [VPS 090816-0] *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\My Documents\Downloads\iExplore.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\RarSFX8\nird\iexplore.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\RarSFX10\nird\iexplore.exe
C:\Documents and Settings\Admin\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241718727240
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15106/CTPID.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\tfrluuc1.default\
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tfrluuc1.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\tfrluuc1.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-18 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-6-18 142592]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-18 20560]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-18 138680]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-18 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-18 352920]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-04-19 15:41:20 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{986ee33c-ffe8-41a2-934a-2477d818bb9b}\mpengine.dll
2011-04-18 19:23:21 -------- d-----w- c:\windows\system32\appmgmt
2011-04-15 00:21:14 -------- d-----w- c:\docume~1\admin\applic~1\Uniblue
2011-04-14 18:38:14 -------- d-----w- c:\program files\Uniblue
2011-04-14 18:38:06 -------- d-----w- c:\program files\SIW
2011-04-14 18:38:06 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\OpenCandy
2011-04-14 18:38:06 -------- d-----w- c:\docume~1\admin\applic~1\OpenCandy
2011-04-14 17:48:54 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\SCE
2011-04-14 17:48:54 -------- d-----w- c:\docume~1\admin\applic~1\Sony Online Entertainment
2011-04-14 16:56:15 -------- d-----w- c:\program files\Sony Online Entertainment
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 16:41:04.39 ===============

Attachddslog.zip

ark.zip

Thank you for your time

RPMcMurphy · 04-20-2011, 06:31 AM

Hello and welcome. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:
ComboFix log

steve865 · 04-20-2011, 03:56 PM

Hey RPMcMurphy,

Thank you for your prompt reply, here is the requested log:

ComboFix 11-04-20.01 - Admin 04/20/2011 17:46:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1652 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090816-0] *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-19 15:41 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{986EE33C-FFE8-41A2-934A-2477D818BB9B}\mpengine.dll
2011-04-15 00:21 . 2011-04-15 00:21 -------- d-----w- c:\documents and settings\Admin\Application Data\Uniblue
2011-04-14 18:38 . 2011-04-14 18:38 -------- d-----w- c:\program files\Uniblue
2011-04-14 18:38 . 2011-04-15 00:20 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\OpenCandy
2011-04-14 18:38 . 2011-04-14 18:38 -------- d-----w- c:\program files\SIW
2011-04-14 18:38 . 2011-04-14 18:38 -------- d-----w- c:\documents and settings\Admin\Application Data\OpenCandy
2011-04-14 17:48 . 2011-04-14 17:49 -------- d-----w- c:\documents and settings\Admin\Application Data\Sony Online Entertainment
2011-04-14 17:48 . 2011-04-14 17:48 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\SCE
2011-04-14 16:56 . 2011-04-14 16:56 -------- d-----w- c:\program files\Sony Online Entertainment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2009-06-18 20:30 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2009-05-08 04:35 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2001-08-23 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2009-05-08 16:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2001-08-23 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2001-08-23 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-23 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-04 05:59 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-05-07 20:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2001-08-23 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 07:56 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2001-08-23 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 23:11 . 2009-10-02 17:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2009-05-08 04:34 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-08 04:34 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2001-08-23 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-06-18 3055616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-07-08 2173440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Documents and Settings\\Admin\\My Documents\\Downloads\\MediaPlayer_Setup.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\mustang95\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\steve8_65\\team fortress 2\\hl2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1063:TCP"= 1063:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/18/2009 3:46 PM 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [6/18/2009 4:04 PM 142592]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 7:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/18/2009 3:46 PM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tfrluuc1.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-20 17:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-04-20 17:51:42
ComboFix-quarantined-files.txt 2011-04-20 22:51
.
Pre-Run: 205,488,717,824 bytes free
Post-Run: 206,805,397,504 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 61DFD598ED1DD3F9ECDC31CABFD6D338

Hopefully that's the right thing, if not let me know and I'll try to get it for you ASAP. I appreciate your help and hopefully we can get this cleared up without to much trouble. Thanks again.

RPMcMurphy · 04-20-2011, 06:05 PM

steve865:

That's looking much better! How is your computer running now? Please do this next:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java(TM) 6 Update 20 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Uncheck any entries from C:\System Volume Information or C:\Qoobox
Make sure that everything else is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please run ESET Online Scanner

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes copy and paste the results into your next reply.

Please include the following in your next post:
How is the computer running?

MBAM log

ESET log

steve865 · 04-20-2011, 08:21 PM

The computer seems to be running fine, no redirects, haven't noticed any random audio, and the script errors have gone away. There is however still an icon for windows recovery (the initial virus) still on my desktop. I'm assuming that I should just delete it, but didn't want to without your direction. MBAM didn't detect anything. Here are the logs:

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 6410

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/20/2011 8:52:55 PM
mbam-log-2011-04-20 (20-52-55).txt

Scan type: Quick scan
Objects scanned: 160702
Time elapsed: 1 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET results, providing an attachment that looks nicer:

C:\Documents and Settings\Admin\Application Data\OpenCandy\OpenCandy_51C168D771A14F88B17AEB096922308E\registrybooster(4).exe a variant of Win32/RegistryBooster application
C:\Documents and Settings\Admin\My Documents\Downloads\MediaPlayer_Setup.exe a variant of Win32/SweetIM.A application
C:\Program Files\Uniblue\RegistryBooster\Launcher.exe a variant of Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{F23C4C52-44BF-4556-AB86-6F32C354E4B5}\RP713\A0045677.exe a variant of Win32/RegistryBooster application
C:\System Volume Information\_restore{F23C4C52-44BF-4556-AB86-6F32C354E4B5}\RP720\A0048510.sys Win32/Olmasco.E trojan

Hopefully that was the right way to do it.

RPMcMurphy · 04-21-2011, 07:26 PM

steve865:

Those ESET detections aren't terribly concerning. We don't recommend using registry cleaners as the potential risks far outweigh any benefit, but I'll leave that up to you. Your logs look good otherwise, now I have some very important cleanup for you to take care of:

Uninstall ComboFix

Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
Combofix /Uninstall

Delete the following tools along with any other logs you saved from our work:

DDS
GMER

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

Restart any anti-malware programs that we disabled while we were cleaning your machine.
Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

steve865 · 04-21-2011, 08:28 PM

Hopefully this is the last time I need to post in this section of the forum. All steps have been completed and the system is running much better. Thank you so much for everything, RPMcMurphy.

RPMcMurphy · 04-22-2011, 06:37 AM

You're welcome, steve865. Take care.