Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Web pages keep getting redirected

This is a discussion on Web pages keep getting redirected within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, I am contantly having all my searches redirected to random web pages. I have scanned my computed with AVG,


 
 
Thread Tools Search this Thread
Old 04-11-2009, 12:53 PM   #1
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



Hi, I am contantly having all my searches redirected to random web pages. I have scanned my computed with AVG, and it has not found anything. Nothing much else is going on but I don't want this to get any worse. I did have Vuse recently downloaded to my computer, but after reading your guide I have removed it. Please help

Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.139 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\CorrinaDeschambeault\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = sympatico.msn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [msnmsgr] "c:\progra~1\window~3\messen~1\msnmsgr.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [DMXLauncher] "c:\program files\dell\media experience\DMXLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\corrin~1\startm~1\programs\startup\textbr~1.lnk - c:\program files\textbridge classic\bin\TBMenu.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: muyhje.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-10 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-7 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-10 298264]
S0 MFX;MFX; [x]
S2 A4SII300;A4SII300;c:\windows\system32\drivers\a4sii300.sys [2007-5-22 25632]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-4-10 62794]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2006-11-20 506112]

=============== Created Last 30 ================

2009-04-10 22:50 <DIR> -cd-h--- C:\$AVG8.VAULT$
2009-04-10 22:25 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-10 22:25 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-10 22:25 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-10 22:25 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-10 22:25 <DIR> --d----- c:\docume~1\corrin~1\applic~1\AVGTOOLBAR
2009-04-10 22:25 <DIR> --d----- c:\program files\AVG
2009-04-10 22:25 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-05 22:08 <DIR> --d----- c:\program files\Shaw Secure
2009-04-05 22:08 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\fssg
2009-04-05 22:07 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\f-secure
2009-03-12 15:53 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-03-12 14:34 217,127 a------- c:\windows\system32\drv43260.dll
2009-03-12 14:34 208,935 a------- c:\windows\system32\drv33260.dll
2009-03-12 14:34 176,165 a------- c:\windows\system32\drv23260.dll
2009-03-12 14:34 102,439 a------- c:\windows\system32\sipr3260.dll
2009-03-12 14:34 65,602 a------- c:\windows\system32\cook3260.dll
2009-03-12 14:34 <DIR> --d----- c:\program files\VSO

==================== Find3M ====================

2009-03-14 22:27 47,360 ac------ c:\docume~1\corrin~1\applic~1\pcouffin.sys
2009-03-14 22:27 87,608 a------- c:\docume~1\corrin~1\applic~1\inst.exe
2009-03-14 22:21 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-02-23 14:57 304,160 ac------ C:\PA207.DAT
2009-02-16 01:32 5,018 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2007-03-04 21:18 247 ac------ c:\program files\setuplog.txt
2007-02-04 22:42 0 -c--h--- c:\program files\AppUpdate.log
2007-02-04 22:35 81,920 ac------ c:\docume~1\corrin~1\applic~1\ezpinst.exe
2008-11-27 11:52 88 -c-shr-- c:\windows\system32\0C60A0F454.sys
2008-09-12 16:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat
2008-09-12 16:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 12:18:36.40 ===============
Attached Files
File Type: zip DDS2.zip (7.2 KB, 8 views)

__________________
corrina187 is offline  
Old 04-13-2009, 06:03 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I need to see a gmer log in order to help you. Let's try this special version of gmer.

Download GMER Rootkit Scanner from here and Save it to your Desktop.
  • Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-14-2009, 07:18 AM   #3
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



Hi, I just realized I did it wrong the first time. It took a while to scan with not much results, but if you can understand it then I guess it worked.
Attached Files
File Type: zip Gmer.zip (479 Bytes, 5 views)
__________________
corrina187 is offline  
Old 04-14-2009, 08:55 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



Hello corrina187.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-15-2009, 07:35 PM   #5
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



ok here it is: ComboFix 09-04-15.08 - CorrinaDeschambeault 15/04/2009 19:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.221 [GMT -6:00]
Running from: c:\documents and settings\CorrinaDeschambeault\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 01:24 . 2009-04-16 01:24 -------- d-----w c:\windows\LastGood
2009-04-14 03:12 . 2009-04-14 03:19 -------- d-----w c:\documents and settings\Dennis ****\Application Data\AVGTOOLBAR
2009-04-13 16:47 . 2009-04-13 19:16 -------- d-----w c:\documents and settings\Autumn\Application Data\AVGTOOLBAR
2009-04-11 04:50 . 2009-04-15 04:12 -------- dc-h--w C:\$AVG8.VAULT$
2009-04-11 04:25 . 2009-04-11 04:25 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-11 04:25 . 2009-04-11 04:25 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-11 04:25 . 2009-04-11 04:25 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-11 04:25 . 2009-04-16 01:25 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-11 04:25 . 2009-04-11 04:43 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\AVGTOOLBAR
2009-04-11 04:25 . 2009-04-16 01:45 -------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-04-06 04:11 . 2009-04-06 04:11 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2009-04-06 04:08 . 2009-04-06 04:08 -------- dc----w c:\documents and settings\All Users\Application Data\fssg
2009-04-06 04:07 . 2009-04-11 02:34 -------- dc----w c:\documents and settings\All Users\Application Data\f-secure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 03:19 . 2007-05-16 00:04 268 -c-ha-w C:\sqmdata19.sqm
2009-04-14 03:19 . 2007-05-16 00:04 244 -c-ha-w C:\sqmnoopt19.sqm
2009-04-14 03:11 . 2007-05-15 13:30 268 -c-ha-w C:\sqmdata18.sqm
2009-04-14 03:11 . 2007-05-15 13:30 244 -c-ha-w C:\sqmnoopt18.sqm
2009-04-12 14:41 . 2009-03-11 00:57 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\Azureus
2009-04-11 04:25 . 2007-03-07 22:44 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-04-11 04:25 . 2009-04-11 04:25 -------- d-----w c:\program files\AVG
2009-04-11 02:34 . 2009-04-06 04:08 -------- d-----w c:\program files\Shaw Secure
2009-04-08 03:30 . 2008-12-02 01:24 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\LimeWire
2009-03-28 16:28 . 2008-12-02 01:24 -------- d-----w c:\program files\LimeWire
2009-03-15 04:27 . 2009-03-12 20:34 -------- d-----w c:\program files\VSO
2009-03-15 04:27 . 2006-12-21 07:50 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\Vso
2009-03-15 04:27 . 2006-12-21 07:50 47360 -c--a-w c:\documents and settings\CorrinaDeschambeault\Application Data\pcouffin.sys
2009-03-15 04:21 . 2006-12-21 07:50 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-12 22:56 . 2009-03-12 22:56 -------- dc----w c:\documents and settings\All Users\Application Data\SlySoft
2009-03-12 21:53 . 2009-03-12 21:53 -------- dc----w c:\documents and settings\All Users\Application Data\vsosdk
2009-03-12 16:23 . 2009-03-12 16:18 -------- d-----w c:\program files\Elaborate Bytes
2009-03-11 19:52 . 2008-12-21 04:39 -------- d-----w c:\program files\DivX
2009-03-11 19:39 . 2006-08-18 17:12 -------- d-----w c:\program files\Google
2009-03-11 19:09 . 2009-03-11 19:09 -------- d-----w c:\program files\Common Files\supportsoft
2009-03-11 19:08 . 2008-12-22 00:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-11 18:40 . 2006-08-25 17:27 -------- d-----w c:\program files\Common Files\Command Software
2009-03-11 18:06 . 2008-05-26 19:30 -------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2009-03-11 18:06 . 2008-05-26 19:29 -------- d-----w c:\program files\Dell Support Center
2009-03-11 00:57 . 2009-03-11 00:57 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-01 18:04 . 2006-08-18 17:07 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 17:58 . 2009-03-01 17:57 -------- d-----w c:\program files\Philips
2009-03-01 17:56 . 2009-03-01 17:56 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\InstallShield
2009-03-01 01:57 . 2007-05-14 17:10 268 -c-ha-w C:\sqmdata17.sqm
2009-03-01 01:57 . 2007-05-14 17:10 244 -c-ha-w C:\sqmnoopt17.sqm
2009-02-23 20:57 . 2009-02-23 20:57 304160 -c--a-w C:\PA207.DAT
2009-02-16 07:32 . 2006-09-08 14:53 56 -csh--r c:\windows\system32\54F4A0600C.sys
2009-02-16 07:32 . 2006-08-25 15:45 5018 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-02-16 07:32 . 2006-08-25 15:45 5018 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-02-16 07:26 . 2006-08-25 16:40 -------- d-----w c:\program files\TELUS eCare
2009-02-11 01:13 . 2006-08-28 21:20 113032 -c--a-w c:\documents and settings\Dennis ****\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 15:33 . 2007-05-14 14:00 268 -c-ha-w C:\sqmdata16.sqm
2009-02-09 15:33 . 2007-05-14 14:00 244 -c-ha-w C:\sqmnoopt16.sqm
2009-02-09 11:13 . 2008-11-27 20:07 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-27 15:33 . 2007-05-14 13:56 268 -c-ha-w C:\sqmdata15.sqm
2009-01-27 15:33 . 2007-05-14 13:56 244 -c-ha-w C:\sqmnoopt15.sqm
2009-01-26 14:39 . 2007-05-13 02:21 268 -c-ha-w C:\sqmdata14.sqm
2009-01-26 14:39 . 2007-05-13 02:21 244 -c-ha-w C:\sqmnoopt14.sqm
2009-01-17 04:35 . 2007-10-30 23:42 3594752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-13 18:51 . 2006-08-25 15:05 113032 -c--a-w c:\documents and settings\CorrinaDeschambeault\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-31 00:21 . 2008-03-13 01:39 98096 -c--a-w c:\documents and settings\Autumn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-03-13 01:39 . 2008-03-13 01:39 129 -c--a-w c:\documents and settings\Autumn\Local Settings\Application Data\fusioncache.dat
2007-03-05 03:18 . 2007-03-05 03:18 247 -c--a-w c:\program files\setuplog.txt
2007-02-05 04:42 . 2007-02-05 04:42 0 -c-h--w c:\program files\AppUpdate.log
2007-02-05 04:35 . 2006-12-21 07:50 81920 -c--a-w c:\documents and settings\CorrinaDeschambeault\Application Data\ezpinst.exe
2006-09-03 16:36 . 2006-09-03 16:36 135 -c--a-w c:\documents and settings\Dennis ****\Local Settings\Application Data\fusioncache.dat
2006-08-25 15:05 . 2006-08-25 15:05 143 -c--a-w c:\documents and settings\CorrinaDeschambeault\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-25 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-11 1932568]

c:\documents and settings\CorrinaDeschambeault\Start Menu\Programs\Startup\
TextBridge Instant Access OCR.lnk - c:\program files\TextBridge Classic\Bin\TBMenu.exe [2007-5-22 23040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-11 04:25 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=muyhje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TELUS eCare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TELUS eCare.lnk
backup=c:\windows\pss\TELUS eCare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 -c--a-r c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R2 A4SII300;A4SII300;c:\windows\System32\drivers\A4SII300.SYS [1998-02-26 25632]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-11 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-11 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-11 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-11 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49e1a128-b7d1-11dc-88f7-001676884c3b}]
\Shell\AutoRun\command - F:\DigitalPhotoKeychain.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd92f57b-aa8e-11dc-88f2-001676884c3b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/keylauncher/?code=3654405786816657

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9a64e7e-c47d-11dc-88fe-001676884c3b}]
\Shell\AutoRun\command - F:\DigitalPhotoKeychain.EXE
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = sympatico.msn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3618293995-1840668372-3379709252-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*$%ñ*D*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3618293995-1840668372-3379709252-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*$%ñ*D*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-16 20:03
ComboFix-quarantined-files.txt 2009-04-16 02:03
ComboFix2.txt 2009-04-16 01:54

Pre-Run: 10,411,495,424 bytes free
Post-Run: 10,405,011,456 bytes free

184 --- E O F --- 2009-04-14 15:10
__________________
corrina187 is offline  
Old 04-16-2009, 04:24 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



It appears you ran ComboFix twice. Any particular reason why?

I need to see the log from the first run.

Go Start > Run and copy/paste the following into the Run box and click OK:

C:\QooBox\ComboFix2.txt

Please post the contents of ComboFix2.txt here for review.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-16-2009, 07:23 AM   #7
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



I did, the first time my 15 month old daughter started banging on the keyboard so I thought she might have caused an error...Here is the first one


ComboFix 09-04-15.08 - CorrinaDeschambeault 15/04/2009 19:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.240 [GMT -6:00]
Running from: c:\documents and settings\CorrinaDeschambeault\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\CorrinaDeschambeault\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 01:24 . 2009-04-16 01:24 -------- d-----w c:\windows\LastGood
2009-04-14 03:12 . 2009-04-14 03:19 -------- d-----w c:\documents and settings\Dennis ****\Application Data\AVGTOOLBAR
2009-04-13 16:47 . 2009-04-13 19:16 -------- d-----w c:\documents and settings\Autumn\Application Data\AVGTOOLBAR
2009-04-11 04:50 . 2009-04-15 04:12 -------- dc-h--w C:\$AVG8.VAULT$
2009-04-11 04:25 . 2009-04-11 04:25 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-11 04:25 . 2009-04-11 04:25 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-11 04:25 . 2009-04-11 04:25 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-11 04:25 . 2009-04-16 01:25 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-11 04:25 . 2009-04-11 04:43 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\AVGTOOLBAR
2009-04-11 04:25 . 2009-04-16 01:45 -------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-04-06 04:11 . 2009-04-06 04:11 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2009-04-06 04:08 . 2009-04-06 04:08 -------- dc----w c:\documents and settings\All Users\Application Data\fssg
2009-04-06 04:07 . 2009-04-11 02:34 -------- dc----w c:\documents and settings\All Users\Application Data\f-secure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 03:19 . 2007-05-16 00:04 268 -c-ha-w C:\sqmdata19.sqm
2009-04-14 03:19 . 2007-05-16 00:04 244 -c-ha-w C:\sqmnoopt19.sqm
2009-04-14 03:11 . 2007-05-15 13:30 268 -c-ha-w C:\sqmdata18.sqm
2009-04-14 03:11 . 2007-05-15 13:30 244 -c-ha-w C:\sqmnoopt18.sqm
2009-04-12 14:41 . 2009-03-11 00:57 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\Azureus
2009-04-11 04:25 . 2007-03-07 22:44 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-04-11 04:25 . 2009-04-11 04:25 -------- d-----w c:\program files\AVG
2009-04-11 02:34 . 2009-04-06 04:08 -------- d-----w c:\program files\Shaw Secure
2009-04-08 03:30 . 2008-12-02 01:24 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\LimeWire
2009-03-28 16:28 . 2008-12-02 01:24 -------- d-----w c:\program files\LimeWire
2009-03-15 04:27 . 2009-03-12 20:34 -------- d-----w c:\program files\VSO
2009-03-15 04:27 . 2006-12-21 07:50 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\Vso
2009-03-15 04:27 . 2006-12-21 07:50 47360 -c--a-w c:\documents and settings\CorrinaDeschambeault\Application Data\pcouffin.sys
2009-03-15 04:21 . 2006-12-21 07:50 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-12 22:56 . 2009-03-12 22:56 -------- dc----w c:\documents and settings\All Users\Application Data\SlySoft
2009-03-12 21:53 . 2009-03-12 21:53 -------- dc----w c:\documents and settings\All Users\Application Data\vsosdk
2009-03-12 16:23 . 2009-03-12 16:18 -------- d-----w c:\program files\Elaborate Bytes
2009-03-11 19:52 . 2008-12-21 04:39 -------- d-----w c:\program files\DivX
2009-03-11 19:39 . 2006-08-18 17:12 -------- d-----w c:\program files\Google
2009-03-11 19:09 . 2009-03-11 19:09 -------- d-----w c:\program files\Common Files\supportsoft
2009-03-11 19:08 . 2008-12-22 00:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-11 18:40 . 2006-08-25 17:27 -------- d-----w c:\program files\Common Files\Command Software
2009-03-11 18:06 . 2008-05-26 19:30 -------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2009-03-11 18:06 . 2008-05-26 19:29 -------- d-----w c:\program files\Dell Support Center
2009-03-11 00:57 . 2009-03-11 00:57 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-01 18:04 . 2006-08-18 17:07 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 17:58 . 2009-03-01 17:57 -------- d-----w c:\program files\Philips
2009-03-01 17:56 . 2009-03-01 17:56 -------- d-----w c:\documents and settings\CorrinaDeschambeault\Application Data\InstallShield
2009-03-01 01:57 . 2007-05-14 17:10 268 -c-ha-w C:\sqmdata17.sqm
2009-03-01 01:57 . 2007-05-14 17:10 244 -c-ha-w C:\sqmnoopt17.sqm
2009-02-23 20:57 . 2009-02-23 20:57 304160 -c--a-w C:\PA207.DAT
2009-02-16 07:32 . 2006-09-08 14:53 56 -csh--r c:\windows\system32\54F4A0600C.sys
2009-02-16 07:32 . 2006-08-25 15:45 5018 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-02-16 07:32 . 2006-08-25 15:45 5018 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-02-16 07:26 . 2006-08-25 16:40 -------- d-----w c:\program files\TELUS eCare
2009-02-11 01:13 . 2006-08-28 21:20 113032 -c--a-w c:\documents and settings\Dennis ****\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 15:33 . 2007-05-14 14:00 268 -c-ha-w C:\sqmdata16.sqm
2009-02-09 15:33 . 2007-05-14 14:00 244 -c-ha-w C:\sqmnoopt16.sqm
2009-02-09 11:13 . 2008-11-27 20:07 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-27 15:33 . 2007-05-14 13:56 268 -c-ha-w C:\sqmdata15.sqm
2009-01-27 15:33 . 2007-05-14 13:56 244 -c-ha-w C:\sqmnoopt15.sqm
2009-01-26 14:39 . 2007-05-13 02:21 268 -c-ha-w C:\sqmdata14.sqm
2009-01-26 14:39 . 2007-05-13 02:21 244 -c-ha-w C:\sqmnoopt14.sqm
2009-01-17 04:35 . 2007-10-30 23:42 3594752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-13 18:51 . 2006-08-25 15:05 113032 -c--a-w c:\documents and settings\CorrinaDeschambeault\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-31 00:21 . 2008-03-13 01:39 98096 -c--a-w c:\documents and settings\Autumn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-03-13 01:39 . 2008-03-13 01:39 129 -c--a-w c:\documents and settings\Autumn\Local Settings\Application Data\fusioncache.dat
2007-03-05 03:18 . 2007-03-05 03:18 247 -c--a-w c:\program files\setuplog.txt
2007-02-05 04:42 . 2007-02-05 04:42 0 -c-h--w c:\program files\AppUpdate.log
2007-02-05 04:35 . 2006-12-21 07:50 81920 -c--a-w c:\documents and settings\CorrinaDeschambeault\Application Data\ezpinst.exe
2006-09-03 16:36 . 2006-09-03 16:36 135 -c--a-w c:\documents and settings\Dennis ****\Local Settings\Application Data\fusioncache.dat
2006-08-25 15:05 . 2006-08-25 15:05 143 -c--a-w c:\documents and settings\CorrinaDeschambeault\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-25 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-11 1932568]

c:\documents and settings\CorrinaDeschambeault\Start Menu\Programs\Startup\
TextBridge Instant Access OCR.lnk - c:\program files\TextBridge Classic\Bin\TBMenu.exe [2007-5-22 23040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-11 04:25 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=muyhje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TELUS eCare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TELUS eCare.lnk
backup=c:\windows\pss\TELUS eCare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 -c--a-r c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R2 A4SII300;A4SII300;c:\windows\System32\drivers\A4SII300.SYS [1998-02-26 25632]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-11 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-11 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-11 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-11 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49e1a128-b7d1-11dc-88f7-001676884c3b}]
\Shell\AutoRun\command - F:\DigitalPhotoKeychain.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd92f57b-aa8e-11dc-88f2-001676884c3b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/keylauncher/?code=3654405786816657

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9a64e7e-c47d-11dc-88fe-001676884c3b}]
\Shell\AutoRun\command - F:\DigitalPhotoKeychain.EXE
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = sympatico.msn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 19:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3618293995-1840668372-3379709252-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*$%ñ*D*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3618293995-1840668372-3379709252-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*$%ñ*D*\OpenWithList]
@Class="Shell"
.
Completion time: 2009-04-16 19:54
ComboFix-quarantined-files.txt 2009-04-16 01:53

Pre-Run: 10,318,430,208 bytes free
Post-Run: 10,408,042,496 bytes free

183 --- E O F --- 2009-04-14 15:10
__________________
corrina187 is offline  
Old 04-16-2009, 09:15 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



Hello again, corrina187. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please uninstall the following via the Add or Remove Programs section of your Control Panel if they still exist:

LiveUpdate 2.6 (Symantec Corporation)

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Viewpoint Media Player<<This is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Please read here and here

------------------------------------------------------

I see you have P2P software ( LimeWire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
DDS::
uInternet Connection Wizard,ShellNext = iexplore

RegNull::
[HKEY_USERS\S-1-5-21-3618293995-1840668372-3379709252-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*$%ñ*D*]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"

SkipFix::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.


------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u13-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
Kaspersky report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-16-2009, 10:37 AM   #9
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



Hi, so I was trying to remove all the java from my control panel, and after removing about 4 different ones it would not let me remove any more. There are 4 left there that I cannot remove. I have print screened them and attached for you to look at.
__________________
corrina187 is offline  
Old 04-16-2009, 10:39 AM   #10
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



here are the print screens
Attached Files
File Type: zip untitled.zip (291.6 KB, 3 views)
File Type: zip 8.zip (64.5 KB, 3 views)
__________________
corrina187 is offline  
Old 04-16-2009, 10:40 AM   #11
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



here is the other one also
Attached Files
File Type: zip 9.zip (62.8 KB, 3 views)
__________________
corrina187 is offline  
Old 04-16-2009, 11:26 AM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



Please visit this page to uninstall all old Java >> http://java.com/en/download/help/5000010800.xml

Follow the instructions at the bottom of the page under Note:

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-16-2009, 06:05 PM   #13
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp



Hello, Ok so I am going to be removing Limewire I thought that version was safe but I guess not...Everything seems to be ok now
Nothing is getting redirected yet so I'm crossing my fingers...
Here are the logs
Attached Files
File Type: txt kasp.txt (1.5 KB, 4 views)
File Type: txt combofix.txt (16.2 KB, 3 views)
__________________
corrina187 is offline  
Old 04-16-2009, 06:28 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



Hello again, corrina187. Almost done.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\CorrinaDeschambeault\My Documents\LimeWire\Saved\re education prayer of refugee (best quality).mp3"
"C:\Documents and Settings\CorrinaDeschambeault\My Documents\LimeWire\Saved\Twilight Paramore - I Caught Myself.mp3"
"C:\Documents and Settings\CorrinaDeschambeault\My Documents\LimeWire\Saved\viva la vida remix coldplay [160k quality].mp3"
"C:\Documents and Settings\CorrinaDeschambeault\My Documents\LimeWire\Saved\youre not sorry remix taylor.mp3"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-16-2009, 08:11 PM   #15
Registered Member
 
Join Date: Nov 2008
Posts: 13
OS: xp


Grin

Hi, it said it was deleted successfully!!
Thank you sooooo much! You guys are great! No more P2P for me
lol, Thanx let me know if its all clear now...
__________________
corrina187 is offline  
Old 04-17-2009, 04:42 AM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable AVG before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  • IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-20-2009, 05:38 AM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,653
OS: XP SP3; Win7 32/64-bit



Since this topic appears resolved, this thread will be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 01:30 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts