Ried #3

[red_machine]

Ried,
This is my desktop that I don't use much anymore but for processing photos. It's also infected with the same ads and blocked sites. Never experienced a re-direct or anything crazy.

Here is the DDS log:

DDS (Version 1.0) - NTFSx86
Run by Administrator at 19:00:53.56 on Mon 11/10/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1663 [GMT -6:00]

=============== Created Last 30 ================

2008-11-10 18:57 <DIR> --d----- e:\windows\system32\appmgmt
2008-11-07 06:42 3,560 a------- e:\windows\system32\tmp.reg
2008-11-06 22:18 <DIR> --d----- e:\docume~1\admini~1\applic~1\Malwarebytes
2008-11-06 22:18 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-06 22:16 <DIR> --d----- e:\program files\Trojan Remover
2008-11-04 22:09 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Lavasoft
2008-10-18 15:16 333,824 -c------ e:\windows\system32\dllcache\srv.sys
2008-10-18 15:16 1,846,400 -c------ e:\windows\system32\dllcache\win32k.sys
2008-10-18 15:16 2,189,184 -c------ e:\windows\system32\dllcache\ntoskrnl.exe
2008-10-18 15:16 2,145,280 -c------ e:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-18 15:16 2,066,048 -c------ e:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-18 15:16 2,023,936 -c------ e:\windows\system32\dllcache\ntkrpamp.exe

================== Find3M ==================

2008-11-10 18:56 <DIR> --d----- e:\docume~1\admini~1\applic~1\WTablet
2008-09-28 15:25 <DIR> --d----- e:\docume~1\admini~1\applic~1\Imagenomic
2008-09-28 15:23 <DIR> --d----- e:\program files\Instant JPEG From RAW
2008-09-15 06:12 1,846,400 a------- e:\windows\system32\win32k.sys
2008-08-26 01:24 826,368 a------- e:\windows\system32\wininet.dll
2008-08-14 04:09 2,145,280 a------- e:\windows\system32\ntoskrnl.exe
2008-08-14 03:33 2,023,936 a------- e:\windows\system32\ntkrnlpa.exe
2008-01-27 10:49 <DIR> --d----- e:\docume~1\admini~1\applic~1\TomTom
2008-01-27 10:49 <DIR> --d----- e:\docume~1\alluse~1\applic~1\TomTom
2008-01-20 18:24 <DIR> --d----- e:\docume~1\admini~1\applic~1\GretagMacbeth
2008-01-20 15:10 <DIR> --d----- e:\docume~1\admini~1\applic~1\PCF-VLC
2008-01-20 15:05 <DIR> --d----- e:\docume~1\admini~1\applic~1\Participatory Culture Foundation
2008-01-20 15:05 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Participatory Culture Foundation
2008-01-20 09:40 <DIR> --d----- e:\docume~1\admini~1\applic~1\OfficeUpdate12
2008-01-15 20:54 <DIR> --d----- e:\docume~1\alluse~1\applic~1\nView_Profiles
2008-01-13 16:00 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Windows Genuine Advantage
2008-07-27 18:38 32,768 a--sh--- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072720080728\index.dat

============== Psuedo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - e:\program files\java\jre1.6.0_05\bin\ssv.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [NVRaidService] e:\windows\system32\nvraidservice.exe
mRun: [HPDJ Taskbar Utility] e:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] e:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] "e:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "e:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] e:\windows\system32\hphmon06.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "e:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "e:\program files\adobe\adobe photoshop lightroom 1.3\apdproxy.exe"
mRun: [TomTomHOME.exe] "e:\program files\tomtom home 2\HOMERunner.exe" -s
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\logo calibration loader.lnk - e:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\profilereminder.lnk - e:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - e:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - e:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - e:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - e:\windows\system32\msvidctl.dll
Handler: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - e:\progra~1\common~1\micros~1\webcom~1\11\OWC11.DLL
SSODL: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ==============

S3 i1display;i1 Display;e:\windows\system32\drivers\i1display.sys
R2 PDIHWCTL;PDIHWCTL;e:\windows\system32\drivers\pdihwctl.sys
R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;e:\windows\system32\drivers\Si3132r5.sys
R3 wacommousefilter;Wacom Mouse Filter Driver;e:\windows\system32\drivers\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;e:\windows\system32\drivers\wacomvhid.sys
R3 WacomVKHid;Virtual Keyboard Driver;e:\windows\system32\drivers\WacomVKHid.sys
R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe

============= FINISH: 19:01:11.91 ===============

[Ried]

Same for this PC,

We'll begin with ComboFix. Download the tool from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[red_machine]

ComboFix 08-11-10.01 - Administrator 2008-11-10 22:49:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1679 [GMT -6:00]
Running from: e:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-10 19:07 . 2008-11-10 19:07 250 --a------ e:\windows\gmer.ini
2008-11-07 06:42 . 2008-11-07 06:42 3,560 --a------ e:\windows\system32\tmp.reg
2008-11-06 22:20 . 2008-11-06 22:20 <DIR> d-------- e:\documents and settings\All Users\Application Data\TEMP
2008-11-06 22:18 . 2008-11-06 22:18 <DIR> d-------- e:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-06 22:18 . 2008-11-06 22:18 <DIR> d-------- e:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-06 22:16 . 2008-11-10 18:58 <DIR> d-------- e:\program files\Trojan Remover
2008-11-04 22:09 . 2008-11-10 18:57 <DIR> d-------- e:\documents and settings\All Users\Application Data\Lavasoft
2008-10-18 15:16 . 2008-08-14 04:11 2,189,184 -----c--- e:\windows\system32\dllcache\ntoskrnl.exe
2008-10-18 15:16 . 2008-08-14 04:09 2,145,280 -----c--- e:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-18 15:16 . 2008-08-14 03:33 2,066,048 -----c--- e:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-18 15:16 . 2008-08-14 03:33 2,023,936 -----c--- e:\windows\system32\dllcache\ntkrpamp.exe
2008-10-18 15:16 . 2008-09-15 06:12 1,846,400 -----c--- e:\windows\system32\dllcache\win32k.sys
2008-10-18 15:16 . 2008-09-08 04:41 333,824 -----c--- e:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 04:41 --------- d-----w e:\documents and settings\Administrator\Application Data\WTablet
2008-11-11 04:26 --------- d-----w e:\documents and settings\LocalService\Application Data\WTablet
2008-09-28 21:25 --------- d-----w e:\documents and settings\Administrator\Application Data\Imagenomic
2008-09-28 21:23 --------- d-----w e:\program files\Instant JPEG From RAW
2008-09-28 21:21 --------- d-----w e:\program files\Mozilla Thunderbird
2008-09-15 12:12 1,846,400 ----a-w e:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w e:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w e:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w e:\windows\system32\ntkrnlpa.exe
2008-07-28 00:38 32,768 --sha-w e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072720080728\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="e:\windows\system32\nvraidservice.exe" [2005-01-17 84480]
"HPDJ Taskbar Utility"="e:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-06 172032]
"HPHUPD06"="e:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-06 49152]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="e:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="e:\windows\system32\hphmon06.exe" [2006-01-06 659456]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2007-11-06 8523776]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"SunJavaUpdateSched"="e:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Photo Downloader"="e:\program files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 61440]
"TomTomHOME.exe"="e:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 e:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2007-11-06 e:\windows\system32\nwiz.exe]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - e:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-01-15 708608]
ProfileReminder.lnk - e:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-01-15 954368]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;e:\windows\system32\DRIVERS\Si3132r5.sys [2007-06-01 215856]
R2 PDIHWCTL;PDIHWCTL;e:\windows\system32\drivers\pdihwctl.sys [2007-01-25 14416]
R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe [2007-09-07 1373480]
R3 wacommousefilter;Wacom Mouse Filter Driver;e:\windows\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;e:\windows\system32\DRIVERS\wacomvhid.sys [2007-02-16 12848]
R3 WacomVKHid;Virtual Keyboard Driver;e:\windows\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11440]
S3 i1display;i1 Display;e:\windows\system32\Drivers\i1display.sys [2004-10-15 44344]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 e:\windows\Tasks\HP Usg Daily FY04.job
- e:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2006-01-06 22:54]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - e:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\matts profile\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.techsupportforum.com/security-center/hijackthis-log-help/311572-ried-3-a.html
FF -: plugin - e:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\matts profile\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 22:50:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-10 22:51:32
ComboFix-quarantined-files.txt 2008-11-11 04:51:26

Pre-Run: 24,177,614,848 bytes free
Post-Run: 25,074,728,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

108 --- E O F --- 2008-10-19 08:02:50

[Ried]

Same on this one, we need an online scan to search for remnants.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with an update on system behavior.

[red_machine]

Ried,
I will get these two scans running and head to bed...I'll post the results in the morning, and check for a response throughout the day from work. I won't be able to actually do anything until I get home ~6pm central. I'll keep my wife off her computer until I hear from you that we are in the clear.
Thanks a ton man... Next time I'm passing through Ohio, I'll buy you a cold drink.

[Ried]

Tomorrow I'll be at work as well. I don't expect to be online until after 6pm EST, so you can relax a bit.

I just might take you up on that cold drink.

[red_machine]

Kaspersky log

[Ried]

Hi matt_pete,

Delete the file reported in the Kas scan.

That's it. How is the system behaving?

[red_machine]

This system is performing flawlessly.

Should I move forward with SpywareBlaster, ZoneOut and SiteAdvisor?

[Ried]

Yes, please do.

Also be sure to carry out this next step as well as it will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

Shall we consider this thread resolved?

[red_machine]

I will do those 4 steps as soon as I can - in the middle of watching the Mentalist :)
Resolved it is.

[Ried]

It's already on and I'm missing it..?! Oh..wait...you're Central time.

[red_machine]

When I did the combofix /u, it gave me the error that some installation files were corrupt, and to download new files and try installation again. I now see the little combofix window with the progress bar pinned at 100% - frozen :(

Can I just reboot and hope it goes away?

[Ried]

No, don't reboot as it doesn't require it. End task on it via Task Manager.

Delete that combofix.exe from your desktop and download a fresh copy, then run the ComboFix /u again.

Please let me know if it successfully uninstalled.

[red_machine]

Ried,
Everything worked just as it was supposed to. This machine is completely good to go now. I'm shutting it down.
Computer #2 is almost finished running the panda scan, and the laptop is on it's way...

[Ried]

Glad to hear it.

I'll move this thread to our Resolved area.