nathansmith_6

Hi,

today I woke up to find that my computer has a frustrating virus. What happens is that whenever I do a google search and click a link, the browser automatically goes to one of a number of websites that have nothing to do with the link (ie. couponmountain.com). I have been trying to get rid of this all morning and have failed miserably. Any help would be very much appreciated.

I have included a copy of DDS txt report below. Attached is the Attach.txt file that was also generated by DDS. The GMER program did not even open for me--so hopefully the DDS stuff suffices. I have also included a Hijack This report in case it helps.

In case it isn't obvious, i'm not too knowledgeable when it comes to this sort of thing. Any help would be greatly appreciated.


DDS.txt


DDS (Ver_09-06-26.01) - NTFSx86
Run by Nathan Smith at 12:44:11.85 on 01/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1.#QNAN.319 [GMT -3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\program Files\Manson\liser.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Nathan Smith\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=presario&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [kell] c:\program files\manson\liser.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [net] "c:\windows\system32\net.net"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\nathan~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\freewe~1.lnk - c:\program files\coffeecup software\coffeecup free ftp\ThirtyDayTimer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\pacifi~1\pacificpoker.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\partygaming\partycasino\RunCasino.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: ctv.ca\www
Trusted Zone: tsn.ca\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} - hxxp://dsp03.eastlink.ca/SelfProvisioning.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - hxxps://mytbb.primus.ca/webportal/plugins/VMPlayer.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\manson\liser.dll
SSODL: YnEGSuUleq - {7553FE1C-DFF9-54B6-C74A-AAF8844001E0} - c:\windows\system32\ogu.dll
SEH: {C47A9554-195A-4769-9B13-04F15B450A39} - No File

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-1 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-1 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-1 298776]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-07-01 12:06 <DIR> --d----- c:\program files\CCleaner
2009-07-01 12:05 <DIR> --d----- c:\program files\SpywareBlaster
2009-07-01 11:00 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-01 10:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-01 10:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-01 10:55 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 10:55 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-01 10:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-01 10:55 <DIR> --d----- c:\program files\AVG
2009-07-01 10:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-30 20:38 32,768 a------- c:\windows\system32\nhg.bbv
2009-06-30 20:38 65,024 a------- c:\windows\system32\gr3.ge
2009-06-30 20:38 75,776 a------- c:\windows\system32\nvrsk.dll
2009-06-30 20:38 134,656 a------- c:\windows\system32\tpsaxyd.exe
2009-06-30 20:38 <DIR> --dshr-- c:\program files\Manson

==================== Find3M ====================

2009-06-30 20:38 577,536 a------- c:\windows\system32\user32.DLL
2009-06-30 20:38 577,536 a------- c:\windows\system32\dllcache\user32.dll
2009-05-07 12:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 12:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-27 06:17 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-04-17 06:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 06:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 12:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 12:11 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll
2006-10-02 20:36 0 a------- c:\docume~1\nathan~1\applic~1\wklnhst.dat
2006-10-02 20:49 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 12:46:05.03 ===============







HIJACK THIS REPORT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:36 PM, on 01/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\program Files\Manson\liser.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Nathan Smith\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [kell] C:\program Files\Manson\liser.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp03.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - https://mytbb.primus.ca/webportal/plugins/VMPlayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: YnEGSuUleq - {7553FE1C-DFF9-54B6-C74A-AAF8844001E0} - C:\WINDOWS\system32\ogu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 9682 bytes

Attached Files

Attach.txt (8.3 KB, 2 views)

KB.

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

KB.

Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Good Luck

nathansmith_6

Hey,

Already tried to run gmer after extracting and it didn't do anything. Just tried re-downloading from different site and had the same problem.

KB.

The aformentioned GMER instructions offered a new link for you to use. I need you to use that (which I've included once again below) as well as performing the other instructions that follow.

P2P Concern
Your logs showed some peer-to-peer filesharing apps. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

Read more here:
File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

You need to un-install BitTorrent and any other P-2-P that this pc has and refrain from installing any others until we've finished cleaning your system.

GMER
Download GMER Rootkit Scanner from this link => here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

ComboFix cleanup
Download ComboFix from any of the links below. You must rename it to Combo-Fix before saving it. Save it to your Desktop.

If you are using Firefox, go to Tools > Options > Main and select 'Always ask me where to save files' and click OK.

Link 1
Link 2
Link 3





* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

------------------------------------------------------

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Help with disabling your antivirus application can be found here => here
  
• Double-click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Post Back
Please post back with:

1. GMER result;
2. Combofix result.

Good Luck

nathansmith_6

Hey, the Gmer worked this time. Txt file resulting from the scan is attached.

Attached Files

Gmer.txt (5.3 KB, 2 views)

nathansmith_6

Combofix result attached also.. Thanks for the help!


ComboFix 09-07-02.02 - Nathan Smith 02/07/2009 20:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.544 [GMT -3:00]
Running from: c:\documents and settings\Nathan Smith\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Manson\liser.dll
c:\program files\Manson\liser.exe
c:\windows\Install.txt
c:\windows\system32\drivers\UAComyybpjdviljxel.sys
c:\windows\system32\Install.txt
c:\windows\system32\mmmdpsjo.ini
c:\windows\system32\nvrsk.dll
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\UACcrsqoauoxxshrdu.dll
c:\windows\system32\UACcvrpublgntpyotj.dll
c:\windows\system32\UACdiykvvkkyljxyoy.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiuhdodxcymxecac.dat
c:\windows\system32\UACpucrnstppmkpymexm.log
c:\windows\system32\UACtbghuimdwkydyle.db
c:\windows\system32\uactmp.db
c:\windows\system32\UACttsabjmqvqvgoax.dll
c:\windows\system32\UACyacmoyejkdtfrhn.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 11:36 . 2009-07-02 11:36 -------- d-----w- c:\program files\Flash Movie Player
2009-07-01 15:29 . 2009-07-01 13:55 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-01 15:06 . 2009-07-01 15:06 -------- d-----w- c:\program files\CCleaner
2009-07-01 15:05 . 2009-07-01 15:05 -------- d-----w- c:\program files\SpywareBlaster
2009-07-01 14:37 . 2009-06-14 19:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-01 14:00 . 2009-07-02 18:40 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-01 13:58 . 2009-07-01 13:58 -------- d-----w- c:\documents and settings\Nathan Smith\Local Settings\Application Data\AVG Security Toolbar
2009-07-01 13:56 . 2009-07-01 13:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-01 13:56 . 2009-07-01 13:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-01 13:55 . 2009-07-01 13:55 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 13:55 . 2009-07-01 13:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-01 13:55 . 2009-07-02 21:49 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-01 13:55 . 2009-07-01 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-01 13:55 . 2009-07-01 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-01 13:55 . 2009-07-01 13:55 -------- d-----w- c:\program files\AVG
2009-06-30 23:38 . 2009-07-02 23:54 -------- d-sh--r- c:\program files\Manson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 23:59 . 2008-07-10 11:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-02 23:53 . 2004-08-04 08:00 577536 ----a-w- c:\windows\system32\user32.dll
2009-07-02 11:33 . 2007-03-03 23:17 -------- d-----w- c:\program files\Macromedia
2009-07-01 19:59 . 2006-10-26 04:30 -------- d-----w- c:\documents and settings\Nathan Smith\Application Data\uTorrent
2009-07-01 15:13 . 2007-03-04 17:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-01 14:30 . 2006-04-26 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-01 14:29 . 2006-04-26 01:02 -------- d-----w- c:\program files\Symantec
2009-07-01 14:22 . 2006-04-26 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-01 13:41 . 2006-04-26 01:32 -------- d-----w- c:\program files\Java
2009-06-13 19:10 . 2008-02-13 00:52 1878984 ----a-w- c:\documents and settings\Nathan Smith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-05-19 22:57 . 2006-09-14 22:35 -------- d-----w- c:\program files\PartyGaming
2009-05-18 16:13 . 2009-05-18 16:13 -------- d-----w- c:\program files\Broadcom
2009-05-07 15:44 . 2004-08-04 08:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2004-08-04 08:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 08:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 08:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-10-02 23:49 . 2006-10-02 23:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 19:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]

c:\documents and settings\Nathan Smith\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-17 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-11-21 372224]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-12-25 229376]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-3 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-24 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"YnEGSuUleq"= {7553FE1C-DFF9-54B6-C74A-AAF8844001E0} - c:\windows\system32\ogu.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-01 13:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dailybucks_install.exe]
"Debugger"=c:\docume~1\NATHAN~1\LOCALS~1\Temp\db.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\PartyGaming\\PartyGaming.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/07/2009 10:55 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/07/2009 10:56 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/07/2009 10:55 AM 298776]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [15/12/2004 12:18 PM 200192]
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-03-09 02:38]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{45A9B2C0-0D04-4AE6-B2F6-544B5C5E1EF3} - c:\windows\System32\wmproxt.dll
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
HKLM-Run-net - c:\windows\system32\net.net


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
Trusted Zone: ctv.ca\www
Trusted Zone: tsn.ca\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} - hxxp://dsp03.eastlink.ca/SelfProvisioning.cab
DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - hxxps://mytbb.primus.ca/webportal/plugins/VMPlayer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 20:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????9?n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...


c:\windows\system32\drivers\hjgruiilrakkri.sys 68096 bytes executable
c:\docume~1\NATHAN~1\LOCALS~1\Temp\hjgrui000 0 bytes
c:\windows\TEMP\hjgruisenrqncdmy.tmp 18944 bytes executable
c:\windows\system32\hjgruiajsnngea.dll 43520 bytes executable
c:\windows\system32\hjgruiaqpyvnby.dll 18944 bytes executable
c:\windows\system32\hjgruidovlksva.dat 93 bytes
c:\windows\system32\hjgruirppejqwm.dat 47729 bytes

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruituglabps]
"imagepath"="\systemroot\system32\drivers\hjgruiilrakkri.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3038418290-1476703022-3468180983-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{78BA3167-73FC-BA68-5B99-658634126BF9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abjoiddeffdjfjdkjikcbbfbjnagapglfg"=hex:61,61,00,00
"bbjoiddeffdjfjdkjinnijlklpepkmabanaj"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2600)
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-07-02 21:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 00:06

Pre-Run: 21,821,493,248 bytes free
Post-Run: 21,856,428,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

222 --- E O F --- 2009-06-11 10:01

Attached Files

log.txt (13.8 KB, 2 views)

KB.

Run ComboFix
Let's re-run ComboFix as follows:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:



A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once

Re-activate your protection programs at this time.

Update Java
Perform the following as specified and in the order given, please.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Download Java Runtime Environment (JRE) 6 Update 14
• Select the appropriate option(s), check the "I agree..." box and press CONTINUE
• Without checking the box, click on jre-6u14-windows-i586-p.exe directly underneath Windows Offline Installation > SAVE it to your desktop, do not RUN it.
• When the download is complete, close all browser windows and double-click on the saved file (jre-6u14-windows-i586-p.exe ) to install the update. Be patient: It may take five (5) minutes or more for the installation to complete.
• UNCHECK any optional software offered (e.g., Yahoo or MSN Toolbar) you don't want to install :!:
• Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
• Open Control Panel > Add/Remove Programs:
  • Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 14 which you just installed.
  • Close Add/Remove Programs.
• In Windows Explorer, navigate to C:\Program Files\Java <=this folder. Delete any subfolders except the subfolder named jre6 which was just created by the installation above. [1]
  
  Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

[1] Deleting these folders may affect QuickTime. If so, simply reinstall QuickTime.

Post Back
Please post back with the following:

1. ComboFix report;
2. System status ... how is your computer running now???

Good Luck

nathansmith_6

Hey,

Computer seems to be working now--thanks very much for all your help. I accidentally closed the combo fix report thinking it was already saved. All is looking pretty good for now though!

=)

Great job!

KB.

We're not finished yet, there is more to do and I'll let you know when we're done.

Please provide the Combofix log as it is automatically saved. It can be found on your computer in this location:

• C:\ Combofix.txt

Thank you.

nathansmith_6

combofix.txt attached.

ComboFix 09-07-02.02 - Nathan Smith 03/07/2009 20:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.626 [GMT -3:00]
Running from: c:\documents and settings\Nathan Smith\Desktop\123abc.exe
Command switches used :: c:\documents and settings\Nathan Smith\Desktop\CFscript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\docume~1\NATHAN~1\LOCALS~1\Temp\hjgrui000"
"c:\windows\system32\drivers\hjgruiilrakkri.sys"
"c:\windows\system32\hjgruiajsnngea.dll"
"c:\windows\system32\hjgruiaqpyvnby.dll"
"c:\windows\system32\hjgruidovlksva.dat"
"c:\windows\system32\hjgruirppejqwm.dat"
"c:\windows\TEMP\hjgruisenrqncdmy.tmp"

file zipped: c:\windows\system32\ogu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\NATHAN~1\LOCALS~1\Temp\hjgrui000
c:\program files\Manson
c:\windows\system32\drivers\hjgruiilrakkri.sys
c:\windows\system32\hjgruiajsnngea.dll
c:\windows\system32\hjgruiaqpyvnby.dll
c:\windows\system32\hjgruidovlksva.dat
c:\windows\system32\hjgruirppejqwm.dat
c:\windows\system32\ogu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruituglabps


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 22:37 . 2009-07-03 00:06 -------- d-s---w- C:\Combo-Fix
2009-07-01 15:29 . 2009-07-01 13:55 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-01 14:00 . 2009-07-02 18:40 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-01 13:55 . 2009-07-03 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-01 13:55 . 2009-07-01 13:55 -------- d-----w- c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 00:22 . 2006-04-26 00:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-03 00:21 . 2006-04-26 00:46 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-07-03 00:20 . 2006-04-26 00:47 -------- d-----w- c:\program files\Sonic
2009-07-02 23:59 . 2008-07-10 11:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-02 23:53 . 2004-08-04 08:00 577536 ----a-w- c:\windows\system32\user32.dll
2009-07-02 11:33 . 2007-03-03 23:17 -------- d-----w- c:\program files\Macromedia
2009-07-01 19:59 . 2006-10-26 04:30 -------- d-----w- c:\documents and settings\Nathan Smith\Application Data\uTorrent
2009-07-01 15:13 . 2007-03-04 17:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-01 14:30 . 2006-04-26 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-01 14:29 . 2006-04-26 01:02 -------- d-----w- c:\program files\Symantec
2009-07-01 14:22 . 2006-04-26 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-01 13:41 . 2006-04-26 01:32 -------- d-----w- c:\program files\Java
2009-06-13 19:10 . 2008-02-13 00:52 1878984 ----a-w- c:\documents and settings\Nathan Smith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-05-19 22:57 . 2006-09-14 22:35 -------- d-----w- c:\program files\PartyGaming
2009-05-18 16:13 . 2009-05-18 16:13 -------- d-----w- c:\program files\Broadcom
2009-05-07 15:44 . 2004-08-04 08:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2004-08-04 08:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 08:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 08:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-10-02 23:49 . 2006-10-02 23:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]

c:\documents and settings\Nathan Smith\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-17 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-11-21 372224]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-12-25 229376]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-3 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-24 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\PartyGaming\\PartyGaming.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [15/12/2004 12:18 PM 200192]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-03-09 02:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
Trusted Zone: ctv.ca\www
Trusted Zone: tsn.ca\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} - hxxp://dsp03.eastlink.ca/SelfProvisioning.cab
DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - hxxps://mytbb.primus.ca/webportal/plugins/VMPlayer.cab
FF - ProfilePath - c:\documents and settings\Nathan Smith\Application Data\Mozilla\Firefox\Profiles\woatn0gi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 20:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????+?n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-07-03 20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 23:41
ComboFix2.txt 2009-07-03 00:06

Pre-Run: 22,188,396,544 bytes free
Post-Run: 22,178,725,888 bytes free

216 --- E O F --- 2009-06-11 10:01

Attached Files

ComboFix.txt (15.1 KB, 2 views)

KB.

While I review your report I need the following information:

1. Have you uninstalled AVG?
2. What Syamntec (aka Norton) application are/were you using?

I need to know which AntiVirus and firewall (Norton or Windows) you're using.

Please do not make further changes to those protections until we're finished cleaning the system as that makes it very difficult for me to understand exactly what is happening with your system.

Thank you.

nathansmith_6

AVG has been uninstalled as it was interfering with the GMER program. With respect to Norton Antivirus, all that would have been running is whatever was left on my system after their free trial of their software.

Right now all I have going is the Windows firewall.

KB.

Since your Norton application has expired, we'll need to remove it and install a different (other than AVG) AntiVirus application.

You can manually delete the AVG vault and program files folder, marked in red below:

C:\ $AVG8.VAULT$
c:\program files\ AVG

You can also delete the AVG folder, marked in red below:

c:\documents and settings\All Users\Application Data\ avg8

Additonal instructions
We'll then need to do a bit more cleanup and run an online scan.

Norton Cleanup
Please run the Norton cleanup tool found here => http://service1.symantec.com/SUPPORT...5033108162039?

Install an AV, NOW!
Only one should load at boot and actively protect the system.

• If cost is a factor, here are two links to free ones :> Antivir; Avast4.

Run ComboFix
Let's re-run ComboFix as follows:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:



A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once

Re-activate your protection programs at this time.

Kaspersky Online Scan
Don't panic on what this scan finds, I'll let you know what needs to be removed.

Please go here => Kaspersky website and perform an online antivirus scan.

1. It's best to disable your AntiVirus application or ignore any alerts it has during this process. How to Disable Anti-Virus Programs Before Running Fix Tools
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Note that this scan will take a long time to run, possibly a few hours as it is very thorough in it's scan of your system.

It's best to close all open programs (taskbar should be empty), start the scan and let it complete without using the system for anything else

If you need a tutorial, see here

Re-enable your AntiVirus application when complete, please

Post Back
Please post back with the following:

1. Combofix report;
2. Kaspersky report;
3. System status ... how is your computer running now?

Good Luck

nathansmith_6

Combofix results attached. Unfortunately the online virus program didn't seem to want to work for me.


ComboFix 09-07-02.02 - Nathan Smith 05/07/2009 19:35.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.543 [GMT -3:00]
Running from: c:\documents and settings\Nathan Smith\Desktop\123abc.exe
Command switches used :: c:\documents and settings\Nathan Smith\Desktop\CFscript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\program files\Mozilla Firefox\plugins\npbittorrent.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
c:\program files\uTorrent
c:\program files\uTorrent\Uninstall.exe
c:\program files\uTorrent\utorrent.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-03 23:59 . 2009-07-03 23:59 -------- d-----w- c:\program files\JavaFX
2009-07-03 23:58 . 2009-07-03 23:58 -------- d-----w- c:\program files\Sun
2009-07-03 23:58 . 2009-07-03 23:57 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-02 22:37 . 2009-07-03 00:06 -------- d-s---w- C:\Combo-Fix
2009-07-01 15:29 . 2009-07-01 13:55 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-01 14:00 . 2009-07-02 18:40 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-01 13:55 . 2009-07-03 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 21:18 . 2006-10-26 04:30 -------- d-----w- c:\documents and settings\Nathan Smith\Application Data\uTorrent
2009-07-04 00:06 . 2006-04-26 01:32 -------- d-----w- c:\program files\Java
2009-07-03 00:22 . 2006-04-26 00:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-03 00:21 . 2006-04-26 00:46 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-07-03 00:20 . 2006-04-26 00:47 -------- d-----w- c:\program files\Sonic
2009-07-02 23:59 . 2008-07-10 11:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-02 23:53 . 2004-08-04 08:00 577536 ----a-w- c:\windows\system32\user32.dll
2009-07-02 11:33 . 2007-03-03 23:17 -------- d-----w- c:\program files\Macromedia
2009-07-01 15:13 . 2007-03-04 17:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-01 14:30 . 2006-04-26 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-01 14:29 . 2006-04-26 01:02 -------- d-----w- c:\program files\Symantec
2009-07-01 14:22 . 2006-04-26 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-13 19:10 . 2008-02-13 00:52 1878984 ----a-w- c:\documents and settings\Nathan Smith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-05-19 22:57 . 2006-09-14 22:35 -------- d-----w- c:\program files\PartyGaming
2009-05-18 16:13 . 2009-05-18 16:13 -------- d-----w- c:\program files\Broadcom
2009-05-07 15:44 . 2004-08-04 08:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2004-08-04 08:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 08:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 08:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-10-02 23:49 . 2006-10-02 23:49 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-02_23.59.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-04 12:36 . 2009-07-04 12:36 16384 c:\windows\temp\Perflib_Perfdata_e0.dat
+ 2009-07-04 00:00 . 2009-07-04 00:00 10134 c:\windows\Installer\{5aa47dba-b584-4d47-a626-76e53fc2987d}\SystemFolder_msiexec.exe
+ 2009-07-03 23:58 . 2009-07-03 23:57 148888 c:\windows\system32\javaws.exe
+ 2009-07-03 23:58 . 2009-07-03 23:57 144792 c:\windows\system32\javaw.exe
+ 2009-07-03 23:58 . 2009-07-03 23:57 144792 c:\windows\system32\java.exe
+ 2009-07-04 00:00 . 2009-07-04 00:00 414720 c:\windows\Installer\1281ad.msi
+ 2009-07-03 23:58 . 2009-07-03 23:58 873472 c:\windows\Installer\1281a9.msi
+ 2009-07-03 23:57 . 2009-07-03 23:57 536576 c:\windows\Installer\1281a3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-03 148888]

c:\documents and settings\Nathan Smith\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-17 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-11-21 372224]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-12-25 229376]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-3 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-24 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\PartyGaming\\PartyGaming.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [15/12/2004 12:18 PM 200192]
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-03-09 02:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
Trusted Zone: ctv.ca\www
Trusted Zone: tsn.ca\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} - hxxp://dsp03.eastlink.ca/SelfProvisioning.cab
DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - hxxps://mytbb.primus.ca/webportal/plugins/VMPlayer.cab
FF - ProfilePath - c:\documents and settings\Nathan Smith\Application Data\Mozilla\Firefox\Profiles\woatn0gi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 19:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????)?n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-05 19:42
ComboFix-quarantined-files.txt 2009-07-05 22:42
ComboFix2.txt 2009-07-03 00:06

Pre-Run: 20,677,988,352 bytes free
Post-Run: 20,665,364,480 bytes free

198 --- E O F --- 2009-06-11 10:01

Attached Files

combofix.txt (14.9 KB, 2 views)

KB.

Thanks for the response.

Before we proceed, I'd like to confirm some information and have you re-run DDS.

Information Needed
1. Were you able to successfully run the Norton removal tool?
2. Did you delete the files/folders I requested?
3. Which AntiVirus application did you install?
4. Does your new AntiVirus application update and scan properly?
5. What happened when you attempted to run the Kaspersky Online Scanner ... why did it not work?

Re-run DDS
Please re-run DDS as you did prior to your initial post (cf. Initial Post Instructions ). I'll need to see that in your response.

Post back
Please post back with the following:

A. Answers to questions 1. through 5. above.
B. New DDS report.
C. System status ... how is your computer running now?

Good Luck

tetonbob

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help