rowan555

I was using Trend Micro's 30 day trial on my PC (my MS one care sub had run out) and TM trial expired Monday. The SAME day I start getting redirected whenever I do a google search and then I lose control of my browser. I think its kinda funny these virus software companies are like the mafia. Trial expires and then all sudden a virus/malware problem and they want your money. I wouldnt doubt the problem is from TM themselves...

So, I ran Adaware, Malware Bytes, and Housecall and none of them find anything. At ALL. And I even installed Kaspersky but it doesnt find anything. It DOES report "password protected files" that seem to all be under a Trend Micro directory. And I had to uninstall TM completely to get Kaspersky to install...

I ran the DDS and GMER. Those log files are attached/posted as requested in the sticky thread.

Thanks in advance for the help!


DDS (Ver_09-06-26.01) - NTFSx86
Run by Susan at 10:21:57.06 on Wed 07/01/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.492 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RapidSolution\Tunebite\Tunebite.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\temp\virus logs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://gmail.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=gvZ1F.tC4POBd.KJNUuIzw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: isoHunt-Vuze Toolbar: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - c:\program files\isohunt-vuze\tbIso1.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: isoHunt-Vuze Toolbar: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - c:\program files\isohunt-vuze\tbIso1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Tunebite] c:\program files\rapidsolution\tunebite\Tunebite.exe -tray
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211042952317
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://63.138.232.19/activex/AxisCamControl.ocx
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
TCP: {143A5FDE-5F70-4312-B79A-4795F3DB9F5B} = 192.168.0.5
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\susan\applic~1\mozilla\firefox\profiles\vxmuqh80.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2014090&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2014090&SearchSource=2&q=
FF - plugin: c:\documents and settings\susan\application data\mozilla\firefox\profiles\vxmuqh80.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-30 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-6-30 226832]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-4-27 93960]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-2-4 317440]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-29 1684736]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-5-24 335376]

=============== Created Last 30 ================

2009-07-01 10:19 <DIR> --d----- c:\temp\virus logs
2009-06-30 20:17 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-30 20:17 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-06-30 20:16 <DIR> --d----- c:\program files\Kaspersky Lab
2009-06-30 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-06-30 16:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-30 11:39 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-30 11:25 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-30 11:23 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-30 11:22 <DIR> --d----- c:\program files\Lavasoft
2009-06-30 11:07 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-06-21 20:16 <DIR> --d----- c:\temp\wall pictures
2009-06-16 16:09 <DIR> --d----- c:\program files\Sling Media
2009-06-16 16:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sling Media
2009-06-16 16:07 <DIR> --d----- c:\windows\Downloaded Installations
2009-06-16 12:49 <DIR> --d----- c:\program files\Games
2009-06-10 09:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-10 09:46 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-07 10:47 <DIR> --d----- c:\temp\wyatt games
2009-06-02 19:47 <DIR> --d----- c:\program files\SystemRequirementsLab

==================== Find3M ====================

2009-07-01 00:03 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-24 21:45 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-05-24 20:39 23,975,176 a------- C:\sdsetup.exe
2009-05-24 20:35 38,912 a------- C:\AntiBrontokA-en.exe
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-12-24 14:45 21,584 a------- c:\docume~1\susan\applic~1\GDIPFONTCACHEV1.DAT
2007-02-12 19:10 2,682,880 -------- c:\documents and settings\all users\VCREDI~3.EXE

============= FINISH: 10:24:24.82 ===============

Attached Files

Attach.zip (9.5 KB, 3 views)

tetonbob

Hello, rowan555 -

Apologies for the delay in reply, the forum has been very busy.

If you still require assistance, please post a new set of logs from DDS and gmer, so I can determine the current condition of the machine. I'm subscribed to this topic, and will be notified immediately of your reply.

rowan555

I do still require assistance. I have been waiting patiently.

I haven't done ANYTHING since posting the log files as far as further diag or remedy. I havent installed or uninstalled anything. I have been using my computer very minimally over the weekend. The only thing I have done is surf the internet using firefox and chatted with yahoo messenger. That is all.

If you still think something significant may have changed since my posting the logs, I will run them again when I get home from work this evening. But honestly, I dont see how anything could have changed.

Let me know. Thanks!

tetonbob

Ok, if nothing has changed, and you've not attempted any removals on your own, we can work from the initial logs posted. If, however, you did make any changes, please post new logs instead of these next instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

rowan555

Ok, I ran the combofix and I am posting the log file to this post. I went ahead and reran the DDS and GMER as well and posted those logs just in case something has changed. But I am fairly confident nothing has.

Thanks!

ComboFix 09-07-06.02 - Susan 07/06/2009 20:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.538 [GMT -5:00]
Running from: c:\documents and settings\Susan\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNETabncninf.sys
c:\windows\system32\SKYNEToffnwpuw.dll
c:\windows\system32\SKYNETqxobsbbn.dat
c:\windows\system32\SKYNETuoypvpfd.dat
c:\windows\system32\SKYNETvktaouat.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETuebwtoke


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-07 01:52 . 2009-07-07 02:12 1888800 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-07 01:52 . 2009-07-07 02:08 352288 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-05 04:56 . 2009-07-05 04:56 -------- d-----w- c:\temp\New Young Pony Club - Fantastic Playroom [2007.INDIE].By KELOLO
2009-07-01 15:19 . 2009-07-07 02:13 -------- d-----w- c:\temp\virus logs
2009-07-01 05:03 . 2009-07-01 05:03 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-07-01 05:03 . 2009-07-01 05:03 206088 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-01 05:03 . 2009-07-01 05:03 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-07-01 01:17 . 2009-07-01 05:03 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-07-01 01:17 . 2009-07-01 05:03 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-07-01 01:16 . 2009-07-07 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-01 01:16 . 2009-07-01 01:16 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-30 21:51 . 2009-06-30 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-30 16:39 . 2009-06-30 16:25 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-30 16:23 . 2009-06-30 16:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-30 16:23 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-30 16:22 . 2009-06-30 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-30 16:22 . 2009-06-30 16:22 -------- d-----w- c:\program files\Lavasoft
2009-06-30 14:28 . 2009-06-30 14:28 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-25 22:18 . 2009-06-25 22:18 488960 ----a-w- c:\documents and settings\Susan\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...070-0-main.dll
2009-06-25 22:18 . 2009-06-25 22:18 319488 ----a-w- c:\documents and settings\Susan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-06-24 03:32 . 2009-03-09 16:34 971776 ----a-w- c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vxmuqh80.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-06-22 01:16 . 2009-06-22 01:33 -------- d-----w- c:\temp\wall pictures
2009-06-16 21:09 . 2009-06-16 21:09 -------- d-----w- c:\program files\Sling Media
2009-06-16 21:09 . 2009-06-16 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2009-06-16 21:07 . 2009-06-16 21:07 -------- d-----w- c:\windows\Downloaded Installations
2009-06-16 17:49 . 2009-06-16 17:49 -------- d-----w- c:\program files\Games
2009-06-10 14:46 . 2009-06-10 14:45 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-10 14:44 . 2009-06-10 14:44 152576 ----a-w- c:\documents and settings\Susan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 15:47 . 2009-06-07 15:48 -------- d-----w- c:\temp\wyatt games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 02:14 . 2008-09-08 16:07 -------- d-----w- c:\documents and settings\Susan\Application Data\Tunebite
2009-07-07 02:14 . 2009-07-07 01:52 16984 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-07 02:08 . 2009-07-07 01:52 2284 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-06 16:25 . 2009-06-30 16:25 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-06 16:25 . 2009-06-30 16:25 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-06 16:25 . 2009-06-30 16:25 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-05 14:24 . 2008-09-08 03:22 -------- d-----w- c:\documents and settings\Susan\Application Data\BitTorrent
2009-07-05 02:18 . 2009-03-25 23:06 -------- d-----w- c:\program files\Warcraft III
2009-07-01 05:03 . 2008-01-29 22:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-07-01 04:53 . 2009-05-25 02:59 -------- d-----w- c:\program files\Trend Micro
2009-06-30 14:28 . 2009-05-25 13:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 22:02 . 2008-06-10 00:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 17:30 . 2009-01-09 15:27 -------- d-----w- c:\documents and settings\Susan\Application Data\uTorrent
2009-06-24 20:52 . 2008-08-26 15:44 -------- d-----w- c:\documents and settings\Susan\Application Data\U3
2009-06-17 16:27 . 2009-05-25 13:41 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-05-25 13:41 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 21:10 . 2008-05-17 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 19:29 . 2009-05-10 00:04 -------- d-----w- c:\documents and settings\Susan\Application Data\funkitron
2009-06-16 17:35 . 2009-03-15 17:52 -------- d-----w- c:\program files\Transcend
2009-06-10 14:45 . 2008-05-23 20:20 -------- d-----w- c:\program files\Java
2009-06-10 01:15 . 2009-05-28 22:48 35 ----a-w- c:\windows\popcinfo.dat
2009-06-03 00:47 . 2009-06-03 00:47 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-03 00:47 . 2009-06-03 00:47 -------- d-----w- c:\documents and settings\Susan\Application Data\SystemRequirementsLab
2009-06-03 00:47 . 2009-06-03 00:47 207872 ----a-w- c:\documents and settings\Susan\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-06-03 00:47 . 2009-06-03 00:47 207872 ----a-w- c:\documents and settings\Susan\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-06-03 00:47 . 2009-06-03 00:47 207872 ----a-w- c:\documents and settings\Susan\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-06-03 00:47 . 2009-06-03 00:47 207872 ----a-w- c:\documents and settings\Susan\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-05-31 20:23 . 2009-05-31 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Marlin
2009-05-28 23:35 . 2009-05-28 23:35 22 ----a-w- c:\windows\popcinfot.dat
2009-05-25 13:42 . 2009-05-25 13:42 -------- d-----w- c:\documents and settings\Susan\Application Data\Malwarebytes
2009-05-25 13:41 . 2009-05-25 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 02:45 . 2009-05-25 02:45 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2009-05-25 01:39 . 2009-05-25 01:39 23975176 ----a-w- C:\sdsetup.exe
2009-05-25 01:35 . 2009-05-25 01:36 38912 ----a-w- C:\AntiBrontokA-en.exe
2009-05-24 22:03 . 2009-05-24 22:03 422 ----a-w- c:\documents and settings\Susan\Application Data\Azureus\socks1.exe
2009-05-24 22:03 . 2009-05-24 22:03 16141 ----a-w- c:\documents and settings\Susan\Application Data\funkitron\lego.exe
2009-05-24 22:03 . 2009-05-24 22:03 145131 ----a-w- c:\documents and settings\Susan\Application Data\BitTorrent\nomad.exe
2009-05-24 22:03 . 2009-05-24 22:03 13221 ----a-w- c:\documents and settings\Susan\Application Data\Apple Computer\rengo.dll
2009-05-24 22:03 . 2009-05-24 22:03 11232 ----a-w- c:\documents and settings\Susan\Application Data\Adobe\shalom.exe
2009-05-24 22:03 . 2009-05-24 22:03 10121 ----a-w- c:\documents and settings\Susan\Application Data\GlobalSCAPE\kern.dll
2009-05-16 16:48 . 2009-05-16 16:44 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-05-16 14:57 . 2008-06-10 00:51 -------- d-----w- c:\program files\Shockwave.com
2009-05-14 23:15 . 2008-12-06 01:15 -------- d-----w- c:\program files\ABC Amber LIT Converter
2009-05-12 22:21 . 2009-05-12 22:20 -------- d-----w- c:\program files\Virtual Families
2009-05-11 23:12 . 2009-05-09 22:19 -------- d-----w- c:\program files\Ricochet Lost Worlds Recharged
2009-05-10 23:19 . 2009-05-09 22:20 -------- d-----w- c:\program files\Slingo Quest
2009-05-07 15:32 . 2001-08-23 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 01:56 . 2008-05-17 19:41 22928 ----a-w- c:\documents and settings\Susan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 12:26 . 2001-08-23 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 21:11 . 2009-04-15 21:11 32768 ----a-r- c:\documents and settings\Susan\Application Data\Microsoft\Installer\{EC918800-3986-4359-A7F9-EFAA3BDF46A9}\_106C25005944_4363_90EA_4E4354C64618.exe
2009-04-15 14:51 . 2001-08-23 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}]
2009-06-23 19:46 2094616 ----a-w- c:\program files\Isohunt-vuze\tbIso1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Tunebite"="c:\program files\RapidSolution\Tunebite\Tunebite.exe" [2008-06-12 6366512]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-10 148888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-01 206088]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2007-02-28 53248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-25 17567744]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V - Tribes of the East\\bin\\H5_Game.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-06 1684736]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-05-25 335376]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-07-01 33808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-30 64160]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-02-02 317440]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-06-30 1029456]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-04-27 93960]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 16:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=gvZ1F.tC4POBd.KJNUuIzw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {143A5FDE-5F70-4312-B79A-4795F3DB9F5B} = 192.168.0.5
FF - ProfilePath - c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vxmuqh80.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2014090&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2014090&SearchSource=2&q=
FF - plugin: c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vxmuqh80.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 21:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1428)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BRSVC01A.EXE
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-07-07 21:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 02:19

Pre-Run: 36,975,046,656 bytes free
Post-Run: 38,216,077,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

235 --- E O F --- 2009-06-11 08:03

Attached Files

attach.zip (10.3 KB, 1 views)

tetonbob

Looks much better now. I should think the redirects have ended.

As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help


P2P - I see you have P2P software ( BitTorrent, Vuze ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 14 -"
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6u14 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  
  
  Java 2 Runtime Environment, SE v1.4.2_17
  Java 2 SDK, SE v1.4.2_17
  Java(TM) 6 Update 13
  
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

tetonbob

Still with me, rowan555?

I generally unsubscribe from threads after 7 days of inactivity. If I don't receive a reply from you within 2 days of this post, this topic will be closed.

tetonbob

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help