Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
google search redirects to adsites google search redirects to adsites
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts

Reply
 
Thread Tools
Old 05-02-2008, 01:58 PM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: xp


google search redirects to adsites
last week i accidentally downloaded a nasty virus, the bulk of which has been removed, but all that is left is that clicking on search results in google yields ad sites, usually one of easycliqhotels, monstermarketplace, or thefreedictionary.com. also, since the virus, certain pages no longer load properly, most notably facebook.

anyway, the original virus had something to do with antispyspider, and some of the most malicious files were spools.exe, kevir, and many more which were deleted, and the most difficult to remove was wlctrl32.dll. originally, both the task manager and registry editing were disabled, so that all was difficult to overcome.

i have seen several people report similar problems to this on this site in the resolved hjt threads subsection, and i noticed everyone had spoolsv.exe running. my first question is, is this a malware file? i assumed it was related to spools.exe and deleted it. my computer runs fine, except for not loading facebook properly, but i suspect that has more to do with me deleting all my temporary files instead, most notably all the java files. if it indeed is a useful file, how can i restore it?

by the way, running CleanUp gave me a message that the redirect cache was succesfully removed, but the problem persists, particularly with the first two or three search results. also, running an online panda antivirus scan crashed my internet explorer each time.

here is a hjt log:

if anyone has a solution, i much oblige


****************************************************


Deckard's System Scanner v20071014.68
Run by Don Vito on 2008-05-02 22:18:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
16: 2008-05-02 20:18:07 UTC - RP16 - Deckard's System Scanner Restore Point
15: 2008-05-02 07:51:07 UTC - RP15 - Software Distribution Service 3.0
14: 2008-05-01 07:00:06 UTC - RP14 - Installed Java 2 Runtime Environment, SE v1.4.2_17
13: 2008-04-30 23:17:15 UTC - RP13 - Software Distribution Service 3.0
12: 2008-04-30 23:15:29 UTC - RP12 - Ad-Aware Restore Point 2008-05-01 01:15:23


-- First Restore Point --
1: 2008-04-27 10:19:52 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Don Vito.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:14 PM, on 02/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Don Vito\Local Settings\Temporary Internet Files\Content.IE5\B53GFF03\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Don Vito.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.shoptoshiba.ca/welcome
O2 - BHO: (no name) - {7e853d72-626a-48ec-a868-ba8d5e23e045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zoominghook] ZoomingHook.exe
O4 - HKLM\..\Run: [tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [tpsmain] TPSMain.exe
O4 - HKLM\..\Run: [tpnf] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [tfncky] TFncKy.exe
O4 - HKLM\..\Run: [tctryiohook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [symantec netdriver monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [svpwutil] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [smoothview] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [pointer] point32.exe
O4 - HKLM\..\Run: [padtouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ndstray.exe] NDSTray.exe
O4 - HKLM\..\Run: [lvcomsx] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [logitechvideotray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [logitechvideorepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hwsetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [cfsserv.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ceekey] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccapp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [atipta] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [agrsmmsg] AGRSMMSG.exe
O4 - HKLM\..\Run: [ageia physx systray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [toscdspd] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [logitechsoftwareupdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BetOnBet Poker - {2B936D2B-EDD7-405f-9057-3685BE897E62} - C:\Program Files\betonbetMPP\MPPoker.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: belsnqdkfel - C:\WINDOWS\SYSTEM32\belsnqdkfel.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 10038 bytes

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 bbbuokhd - c:\windows\system32\drivers\geqnweit.dat
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 TPwSav (Common Driver) - c:\windows\system32\drivers\tpwsav.sys <Not Verified; TOSHIBA; >
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>

S3 catchme - c:\docume~1\donvit~1\locals~1\temp\catchme.sys (file missing)
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >

S2 Spooler (Print Spooler) - c:\windows\system32\spoolsv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-02 20:19:03 536 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Don Vito.job


-- Files created between 2008-04-02 and 2008-05-02 -----------------------------

2008-05-02 22:08:39 0 d-------- C:\Program Files\Panda Security
2008-05-02 22:08:38 0 d-------- C:\WINDOWS\LastGood
2008-05-02 22:02:18 0 d-------- C:\Program Files\Trend Micro
2008-05-01 10:39:54 0 d-------- C:\Program Files\Universal
2008-05-01 01:17:34 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-01 00:54:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-01 00:53:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 21:21:12 0 d-------- C:\WINDOWS\ERUNT
2008-04-29 22:20:10 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 22:20:02 0 d-------- C:\Program Files\Windows Live
2008-04-29 22:19:50 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-29 22:04:59 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 22:04:59 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-29 22:04:59 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-29 22:04:59 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-29 22:04:59 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-29 22:04:59 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-29 22:04:59 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-29 22:04:59 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-29 22:04:59 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-29 22:04:59 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-29 22:04:59 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-29 22:04:59 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-29 22:04:59 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-29 22:04:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-29 22:04:59 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-29 22:04:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-29 22:04:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-29 22:04:58 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-26 17:19:49 0 d-------- C:\Documents and Settings\Don Vito\Application Data\Uniblue
2008-04-26 17:19:40 0 d-------- C:\Program Files\Uniblue
2008-04-26 15:17:05 0 d-------- C:\Documents and Settings\Don Vito\Application Data\Malwarebytes
2008-04-26 15:16:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 15:16:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 11:34:33 32768 -----n--- C:\WINDOWS\system32\sockots64.dll
2008-04-26 11:12:00 0 d-------- C:\WINDOWS\pss
2008-04-26 08:10:04 0 d-------- C:\WINDOWS\RG9uIFZpdG8
2008-04-26 08:09:27 0 d-------- C:\WINDOWS\system32\le2
2008-04-26 08:09:27 0 d-------- C:\WINDOWS\system32\IBn
2008-04-26 08:08:44 0 d-------- C:\WINDOWS\system32\xcsDd06
2008-04-26 0855 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-26 0832 18688 --a------ C:\WINDOWS\system32\drivers\geqnweit.dat
2008-04-26 0822 5120 --a------ C:\WINDOWS\system32\drivers\borcsgve.dat
2008-04-04 19:23:33 0 d-------- C:\Documents and Settings\Don Vito\.jmf
2008-04-04 19:23:30 0 d-------- C:\Documents and Settings\Don Vito\Mercury


-- Find3M Report ---------------------------------------------------------------

2008-05-02 20:26:38 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-02 20:26:02 0 d-------- C:\Program Files\Common Files
2008-05-02 11:10:45 0 d-------- C:\Program Files\PokerStars
2008-05-01 09:01:22 0 d-------- C:\Program Files\Java
2008-05-01 00:54:50 0 d-------- C:\Program Files\Lavasoft
2008-05-01 00:54:49 0 d-------- C:\Documents and Settings\Don Vito\Application Data\Lavasoft
2008-04-26 16:33:53 93184 --a------ C:\WINDOWS\system32\belsnqdkfel.dll
2008-04-25 1805 0 d-------- C:\Documents and Settings\Don Vito\Application Data\BitTorrent
2008-04-14 23:45:52 0 d-------- C:\Documents and Settings\Don Vito\Application Data\ZoomBrowser EX
2008-04-06 20:34:56 0 d-------- C:\Documents and Settings\Don Vito\Application Data\foobar2000


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zoominghook"="ZoomingHook.exe" [06/06/2005 06:58 PM C:\WINDOWS\system32\ZoomingHook.exe]
"tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [06/04/2005 01:25 AM]
"tpsmain"="TPSMain.exe" [01/06/2005 02:16 AM C:\WINDOWS\system32\TPSMain.exe]
"tpnf"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [26/08/2005 04:11 AM]
"tfncky"="TFncKy.exe" []
"tctryiohook"="TCtrlIOHook.exe" [22/08/2005 11:49 PM C:\WINDOWS\system32\TCtrlIOHook.exe]
"symantec netdriver monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [18/03/2006 06:19 PM]
"svpwutil"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [01/05/2004 10:45 PM]
"smoothview"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [27/04/2005 01:13 AM]
"pointer"="point32.exe" []
"padtouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [15/07/2005 07:52 PM]
"ndstray.exe"="NDSTray.exe" []
"lvcomsx"="C:\WINDOWS\system32\LVCOMSX.EXE" [20/07/2005 12:32 AM]
"logitechvideotray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 10:14 PM]
"logitechvideorepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 10:24 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [19/07/2005 05:09 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [19/07/2005 05:10 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [19/07/2005 05:06 AM]
"hwsetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [01/05/2004 10:45 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [31/05/2005 02:33 PM]
"cfsserv.exe"="CFSServ.exe" []
"ceekey"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [26/08/2005 03:49 AM]
"ccapp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [23/03/2005 10:34 PM]
"atipta"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [06/08/2005 06:05 AM]
"apoint"="C:\Program Files\Apoint2K\Apoint.exe" [23/03/2004 04:40 PM]
"agrsmmsg"="AGRSMMSG.exe" [21/12/2004 07:10 PM C:\WINDOWS\agrsmmsg.exe]
"ageia physx systray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [20/03/2006 09:43 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toscdspd"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [30/12/2004 09:32 AM]
"logitechsoftwareupdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [08/06/2005 09:44 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 02:00 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18/10/2007 11:34 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

C:\Documents and Settings\Don Vito\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [12/06/2004 6:57:52 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [01/09/2005 1:52:49 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\belsnqdkfel]
belsnqdkfel.dll 26/04/2008 04:33 PM 93184 C:\WINDOWS\system32\belsnqdkfel.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mta28.sys]
@="Driver"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"windows log"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-05-02 22:20:22 ------------
vtek is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-06-2008, 09:28 AM   #2 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 1,943
OS: XP Home SP3, XP Media Center Edition SP3


Re: google search redirects to adsites
Hello and welcome to TSF.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________
My services are free but you can donate to TSF .
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 04:02 AM   #3 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: xp


Re: google search redirects to adsites
hi, and thanks for your reply and welcome.

unfortunately, it looks as though my problem is more serious than i had previously thought. i cannot access either this forum or bleepingcomputer from my infected computer; i simply get an offline error saying that the site is down or i am not connected to the internet or somesuch. so i thought i could get around that by using the laptop provided through my work (as i am doing now) to download the required files, transfer them to my infected computer with a usb key and follow the instructions here. however, my infected computer will not run combofix at all. i checked to make sure i copied the whole file and not just a shortcut to my desktop, but it was not. i even tried running it through start -->run... but that failed too. so now i don't know what to do because to even apply the solution i need to find a solution first.

and as a confirmation of the fact that something fishy is going on, i managed to change my internet security settings such that my internet explorer could properly display all web content (it still couldn't access this site, though). it worked great for a couple of days, but when i decided to shut my computer down for the night one night, when i started it up again the settings were once again f***ed up and now, for the life of me, i can't make them normal again.

i appreciate the attempts to help, and if any more information is required, i would be happy to provide whatever i can.
vtek is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 04:16 AM   #4 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 1,943
OS: XP Home SP3, XP Media Center Edition SP3


Re: google search redirects to adsites
Hi,

Sounds bad. Let's try this. Delete the Combofix from your desktop and download a fresh copy, but we'll do it a little differently this time:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
My services are free but you can donate to TSF .
ASAP

Last edited by amateur : 05-09-2008 at 04:38 AM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 06:39 AM   #5 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: xp


Re: google search redirects to adsites
brilliant! that got it to run. another problem i discovered was that when i tried to reboot windows in safe mode, i only had one option, and that was to start windows in normal mode after pressing F8 at start up. anyway, combofix deleted a couple of dll files, so i am optimistic, as none of my malware scanners were able to find anything.

first is the combofix log:
**********************************************************

ComboFix 08-05-08.1 - Don Vito 2008-05-09 15:16:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1129 [GMT 2:00]
Running from: C:\Documents and Settings\Don Vito\Desktop\object.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mainms.vpi
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\belsnqdkfel.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\borcsgve.dat
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\geqnweit.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bbbuokhd
-------\Legacy_CLBDRIVER
-------\Legacy_mssecurity1.209.4
-------\Service_bbbuokhd


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-02 22:17 . 2008-05-02 22:17 <DIR> d-------- C:\Deckard
2008-05-02 22:08 . 2008-05-02 22:08 <DIR> d-------- C:\Program Files\Panda Security
2008-05-02 22:05 . 2008-05-02 22:05 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-02 22:02 . 2008-05-02 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-02 20:17 . 2008-05-09 13:24 <DIR> d-------- C:\fixwareout
2008-05-01 18:09 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-01 18:09 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-01 18:09 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-01 18:09 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-01 18:09 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-01 18:09 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-01 18:09 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-01 18:09 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-01 18:08 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-01 10:39 . 2008-05-01 10:39 <DIR> d-------- C:\Program Files\Universal
2008-05-01 01:17 . 2008-05-01 01:17 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-01 00:54 . 2008-05-01 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-01 00:53 . 2008-05-01 00:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 00:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-01 00:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-01 00:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 21:21 . 2008-04-30 21:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 22:20 . 2008-04-29 22:29 <DIR> d-------- C:\Program Files\Windows Live
2008-04-29 22:20 . 2008-04-29 22:28 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 22:19 . 2008-04-29 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-29 22:04 . 2005-09-01 02:09 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 22:04 . 2005-09-01 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-29 22:04 . 2005-09-01 01:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-29 22:04 . 2008-04-29 22:04 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-29 22:04 . 2008-05-09 15:16 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 08:12 . 2008-04-30 21:39 <DIR> d-------- C:\SDFix
2008-04-26 17:19 . 2008-04-26 17:19 <DIR> d-------- C:\Program Files\Uniblue
2008-04-26 17:19 . 2008-04-26 17:19 <DIR> d-------- C:\Documents and Settings\Don Vito\Application Data\Uniblue
2008-04-26 15:17 . 2008-04-26 15:17 <DIR> d-------- C:\Documents and Settings\Don Vito\Application Data\Malwarebytes
2008-04-26 15:16 . 2008-04-26 15:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 15:16 . 2008-04-26 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 11:34 . 2008-04-26 16:33 32,768 --------- C:\WINDOWS\system32\sockots64.dll
2008-04-26 11:34 . 2008-05-08 15:33 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-26 08:10 . 2008-04-30 21:31 <DIR> d-------- C:\WINDOWS\RG9uIFZpdG8
2008-04-26 08:09 . 2008-04-26 08:11 <DIR> d-------- C:\WINDOWS\system32\le2
2008-04-26 08:09 . 2008-04-26 16:33 <DIR> d-------- C:\WINDOWS\system32\IBn
2008-04-26 08:09 . 2004-08-04 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 08:08 . 2008-04-26 08:08 <DIR> d-------- C:\WINDOWS\system32\xcsDd06
2008-04-26 08:08 . 2008-04-26 14:41 <DIR> d-------- C:\Temp\berDrv11

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 13:46 --------- d-----w C:\Program Files\PokerStars
2008-05-05 08:02 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\ZoomBrowser EX
2008-05-05 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-04 05:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-01 07:01 --------- d-----w C:\Program Files\Java
2008-04-30 22:54 --------- d-----w C:\Program Files\Lavasoft
2008-04-30 22:54 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\Lavasoft
2008-04-25 16:06 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\BitTorrent
2008-04-06 18:34 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\foobar2000
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toscdspd"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 09:32 65536]
"logitechsoftwareupdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 21:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zoominghook"="ZoomingHook.exe" [2005-06-06 18:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-06 01:25 73728]
"tpsmain"="TPSMain.exe" [2005-06-01 02:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"tpnf"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-26 04:11 53248]
"tfncky"="TFncKy.exe" []
"tctryiohook"="TCtrlIOHook.exe" [2005-08-22 23:49 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"symantec netdriver monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-18 18:19 100056]
"svpwutil"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 22:45 65536]
"smoothview"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 01:13 122880]
"pointer"="point32.exe" []
"padtouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 19:52 1077322]
"ndstray.exe"="NDSTray.exe" []
"lvcomsx"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-20 00:32 221184]
"logitechvideotray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 22:14 217088]
"logitechvideorepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 22:24 458752]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 05:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 05:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 05:06 77824]
"hwsetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 22:45 28672]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 14:33 122941]
"cfsserv.exe"="CFSServ.exe" []
"ceekey"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-26 03:49 671744]
"ccapp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 22:34 58992]
"atipta"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 06:05 344064]
"apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 16:40 196608]
"agrsmmsg"="AGRSMMSG.exe" [2004-12-21 19:10 88358 C:\WINDOWS\agrsmmsg.exe]
"ageia physx systray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 21:43 331776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Don Vito\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 06:57:52 59080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-09-01 01:52:49 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mta28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"windows log"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"C:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25911:TCP"= 25911:TCP:@xpsp2res.dll,-22005
"44906:TCP"= 44906:TCP:@xpsp2res.dll,-22005
"63585:TCP"= 63585:TCP:@xpsp2res.dll,-22005
"64204:TCP"= 64204:TCP:@xpsp2res.dll,-22005


.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:19:03 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Don Vito.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 15:21:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-09 15:26:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 13:26:00

Pre-Run: 21,783,793,664 bytes free
Post-Run: 21,724,807,168 bytes free

197 --- E O F --- 2008-05-02 07:52:20

***********************************************************

and now the updated hijackthis log:

***********************************************************

ComboFix 08-05-08.1 - Don Vito 2008-05-09 15:16:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1129 [GMT 2:00]
Running from: C:\Documents and Settings\Don Vito\Desktop\object.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mainms.vpi
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\belsnqdkfel.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\borcsgve.dat
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\geqnweit.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bbbuokhd
-------\Legacy_CLBDRIVER
-------\Legacy_mssecurity1.209.4
-------\Service_bbbuokhd


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-02 22:17 . 2008-05-02 22:17 <DIR> d-------- C:\Deckard
2008-05-02 22:08 . 2008-05-02 22:08 <DIR> d-------- C:\Program Files\Panda Security
2008-05-02 22:05 . 2008-05-02 22:05 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-02 22:02 . 2008-05-02 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-02 20:17 . 2008-05-09 13:24 <DIR> d-------- C:\fixwareout
2008-05-01 18:09 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-01 18:09 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-01 18:09 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-01 18:09 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-01 18:09 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-01 18:09 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-01 18:09 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-01 18:09 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-01 18:08 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-01 10:39 . 2008-05-01 10:39 <DIR> d-------- C:\Program Files\Universal
2008-05-01 01:17 . 2008-05-01 01:17 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-01 00:54 . 2008-05-01 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-01 00:53 . 2008-05-01 00:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 00:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-01 00:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-01 00:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 21:21 . 2008-04-30 21:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 22:20 . 2008-04-29 22:29 <DIR> d-------- C:\Program Files\Windows Live
2008-04-29 22:20 . 2008-04-29 22:28 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 22:19 . 2008-04-29 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-29 22:04 . 2005-09-01 02:09 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 22:04 . 2005-09-01 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-29 22:04 . 2005-09-01 01:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-29 22:04 . 2008-04-29 22:04 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-29 22:04 . 2008-05-09 15:16 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 08:12 . 2008-04-30 21:39 <DIR> d-------- C:\SDFix
2008-04-26 17:19 . 2008-04-26 17:19 <DIR> d-------- C:\Program Files\Uniblue
2008-04-26 17:19 . 2008-04-26 17:19 <DIR> d-------- C:\Documents and Settings\Don Vito\Application Data\Uniblue
2008-04-26 15:17 . 2008-04-26 15:17 <DIR> d-------- C:\Documents and Settings\Don Vito\Application Data\Malwarebytes
2008-04-26 15:16 . 2008-04-26 15:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 15:16 . 2008-04-26 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 11:34 . 2008-04-26 16:33 32,768 --------- C:\WINDOWS\system32\sockots64.dll
2008-04-26 11:34 . 2008-05-08 15:33 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-26 08:10 . 2008-04-30 21:31 <DIR> d-------- C:\WINDOWS\RG9uIFZpdG8
2008-04-26 08:09 . 2008-04-26 08:11 <DIR> d-------- C:\WINDOWS\system32\le2
2008-04-26 08:09 . 2008-04-26 16:33 <DIR> d-------- C:\WINDOWS\system32\IBn
2008-04-26 08:09 . 2004-08-04 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 08:08 . 2008-04-26 08:08 <DIR> d-------- C:\WINDOWS\system32\xcsDd06
2008-04-26 08:08 . 2008-04-26 14:41 <DIR> d-------- C:\Temp\berDrv11

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 13:46 --------- d-----w C:\Program Files\PokerStars
2008-05-05 08:02 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\ZoomBrowser EX
2008-05-05 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-04 05:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-01 07:01 --------- d-----w C:\Program Files\Java
2008-04-30 22:54 --------- d-----w C:\Program Files\Lavasoft
2008-04-30 22:54 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\Lavasoft
2008-04-25 16:06 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\BitTorrent
2008-04-06 18:34 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\foobar2000
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toscdspd"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 09:32 65536]
"logitechsoftwareupdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 21:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zoominghook"="ZoomingHook.exe" [2005-06-06 18:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-06 01:25 73728]
"tpsmain"="TPSMain.exe" [2005-06-01 02:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"tpnf"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-26 04:11 53248]
"tfncky"="TFncKy.exe" []
"tctryiohook"="TCtrlIOHook.exe" [2005-08-22 23:49 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"symantec netdriver monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-18 18:19 100056]
"svpwutil"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 22:45 65536]
"smoothview"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 01:13 122880]
"pointer"="point32.exe" []
"padtouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 19:52 1077322]
"ndstray.exe"="NDSTray.exe" []
"lvcomsx"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-20 00:32 221184]
"logitechvideotray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 22:14 217088]
"logitechvideorepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 22:24 458752]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 05:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 05:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 05:06 77824]
"hwsetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 22:45 28672]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 14:33 122941]
"cfsserv.exe"="CFSServ.exe" []
"ceekey"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-26 03:49 671744]
"ccapp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 22:34 58992]
"atipta"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 06:05 344064]
"apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 16:40 196608]
"agrsmmsg"="AGRSMMSG.exe" [2004-12-21 19:10 88358 C:\WINDOWS\agrsmmsg.exe]
"ageia physx systray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 21:43 331776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Don Vito\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 06:57:52 59080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-09-01 01:52:49 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mta28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"windows log"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"C:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25911:TCP"= 25911:TCP:@xpsp2res.dll,-22005
"44906:TCP"= 44906:TCP:@xpsp2res.dll,-22005
"63585:TCP"= 63585:TCP:@xpsp2res.dll,-22005
"64204:TCP"= 64204:TCP:@xpsp2res.dll,-22005


.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:19:03 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Don Vito.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 15:21:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-09 15:26:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 13:26:00

Pre-Run: 21,783,793,664 bytes free
Post-Run: 21,724,807,168 bytes free

197 --- E O F --- 2008-05-02 07:52:20

********************************************************

cheers
vtek is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 06:48 AM   #6 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 1,943
OS: XP Home SP3, XP Media Center Edition SP3


Re: google search redirects to adsites
Hi,
That's great.
Quote:
another problem i discovered was that when i tried to reboot windows in safe mode, i only had one option, and that was to start windows in normal mode after pressing F8 at start up
That's normal with this infection. We'll fix that. But first, current infections tend to patch a lot of critical system files now, these often result in multiple problems, and sometimes, they can cause unbootable machines. Having Window's Recovery Console installed on your machine will help you and I in case something goes wrong while we are in the process of cleaning your machine.:

Quote:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.


  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
__________________
My services are free but you can donate to TSF .
ASAP

Last edited by amateur : 05-09-2008 at 06:50 AM. Reason: punctuation correction
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-09-2008, 07:08 AM   #7 (permalink)
Registered User
 
Join Date: May 2008
Posts: 7
OS: xp


Re: google search redirects to adsites
wow, we really are making progress. i am actually logging in from the infected computer, so that hurdle has been overcome. installed the recovery console too. i thought it was the same thing as system restore, so didn't bother with it at first.

so here are the updated logs, starting with combofix:

********************************************************

ComboFix 08-05-08.1 - Don Vito 2008-05-09 16:03:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1105 [GMT 2:00]
Running from: C:\Documents and Settings\Don Vito\Desktop\object.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-02 22:17 . 2008-05-02 22:17 <DIR> d-------- C:\Deckard
2008-05-02 22:08 . 2008-05-02 22:08 <DIR> d-------- C:\Program Files\Panda Security
2008-05-02 22:05 . 2008-05-02 22:05 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-02 22:02 . 2008-05-02 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-02 20:17 . 2008-05-09 13:24 <DIR> d-------- C:\fixwareout
2008-05-01 18:09 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-01 18:09 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-01 18:09 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-01 18:09 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-01 18:09 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-01 18:09 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-01 18:09 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-01 18:09 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-01 18:08 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-01 10:39 . 2008-05-01 10:39 <DIR> d-------- C:\Program Files\Universal
2008-05-01 01:17 . 2008-05-01 01:17 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-01 00:54 . 2008-05-01 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-01 00:53 . 2008-05-01 00:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 00:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-01 00:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-01 00:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 21:21 . 2008-04-30 21:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 22:20 . 2008-04-29 22:29 <DIR> d-------- C:\Program Files\Windows Live
2008-04-29 22:20 . 2008-04-29 22:28 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 22:19 . 2008-04-29 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-29 22:04 . 2005-09-01 02:09 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-29 22:04 . 2005-09-01 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-29 22:04 . 2005-09-01 01:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-29 22:04 . 2008-04-29 22:04 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-29 22:04 . 2008-05-09 15:16 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 08:12 . 2008-04-30 21:39 <DIR> d-------- C:\SDFix
2008-04-26 17:19 . 2008-04-26 17:19 <DIR> d-------- C:\Program Files\Uniblue
2008-04-26 17:19 . 2008-04-26 17:19 <DIR> d-------- C:\Documents and Settings\Don Vito\Application Data\Uniblue
2008-04-26 15:17 . 2008-04-26 15:17 <DIR> d-------- C:\Documents and Settings\Don Vito\Application Data\Malwarebytes
2008-04-26 15:16 . 2008-04-26 15:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 15:16 . 2008-04-26 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 11:34 . 2008-04-26 16:33 32,768 --------- C:\WINDOWS\system32\sockots64.dll
2008-04-26 11:34 . 2008-05-08 15:33 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-26 08:10 . 2008-04-30 21:31 <DIR> d-------- C:\WINDOWS\RG9uIFZpdG8
2008-04-26 08:09 . 2008-04-26 08:11 <DIR> d-------- C:\WINDOWS\system32\le2
2008-04-26 08:09 . 2008-04-26 16:33 <DIR> d-------- C:\WINDOWS\system32\IBn
2008-04-26 08:09 . 2004-08-04 14:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 08:08 . 2008-04-26 08:08 <DIR> d-------- C:\WINDOWS\system32\xcsDd06
2008-04-26 08:08 . 2008-04-26 14:41 <DIR> d-------- C:\Temp\berDrv11

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 13:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-08 13:46 --------- d-----w C:\Program Files\PokerStars
2008-05-05 08:02 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\ZoomBrowser EX
2008-05-05 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-01 07:01 --------- d-----w C:\Program Files\Java
2008-04-30 22:54 --------- d-----w C:\Program Files\Lavasoft
2008-04-30 22:54 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\Lavasoft
2008-04-25 16:06 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\BitTorrent
2008-04-06 18:34 --------- d-----w C:\Documents and Settings\Don Vito\Application Data\foobar2000
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toscdspd"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 09:32 65536]
"logitechsoftwareupdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 21:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zoominghook"="ZoomingHook.exe" [2005-06-06 18:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-06 01:25 73728]
"tpsmain"="TPSMain.exe" [2005-06-01 02:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"tpnf"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-26 04:11 53248]
"tfncky"="TFncKy.exe" []
"tctryiohook"="TCtrlIOHook.exe" [2005-08-22 23:49 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"symantec netdriver monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-18 18:19 100056]
"svpwutil"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 22:45 65536]
"smoothview"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 01:13 122880]
"pointer"="point32.exe" []
"padtouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 19:52 1077322]
"ndstray.exe"="NDSTray.exe" []
"lvcomsx"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-20 00:32 221184]
"logitechvideotray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 22:14 217088]
"logitechvideorepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 22:24 458752]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 05:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 05:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 05:06 77824]
"hwsetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 22:45 28672]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 14:33 122941]
"cfsserv.exe"="CFSServ.exe" []
"ceekey"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-26 03:49 671744]
"ccapp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 22:34 58992]
"atipta"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 06:05 344064]
"apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 16:40 196608]
"agrsmmsg"="AGRSMMSG.exe" [2004-12-21 19:10 88358 C:\WINDOWS\agrsmmsg.exe]
"ageia physx systray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 21:43 331776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Don Vito\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 06:57:52 59080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-09-01 01:52:49 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mta28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"windows log"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"C:\\Program Files\\Firefly Stud