Malware: "Koobface"

[firefly50]

I was recently sent, what I thought was, message from one of my friends in Facebook. The subject said something to the affect of “is this you” it then sent me to what appeared to be YouTube portal, after asking to update my flashplayer, I downloaded the virus. The only problem I can tell that I am having is that whenever I use a search engine, like google and click on the result of the search, I am continually being redirected. I have made several failed attempts to locate and removed the malware, but to no avail. If anyone could help me with this Hijackthis scan, Thanks:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\tinyproxy\tinyproxy.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysftray2] c:\windows\bolivar27.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4712 bytes

[sUBs]

Please follow the instructs from this webpage (sticky):

http://www.techsupportforum.com/secu...oval-help.html

You shall have a proper set of logs for us after that. Someone shall be along shortly

* Kindly note that threads without the proper logs is likely be ignored.

[firefly50]

Thanks for the quick response. Here are the appropriate logs.

**please note that the GMER scan yielded no results**

ThanKs.



DDS (Version 1.0) - NTFSx86
Run by Administrator at 22:41:37.21 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.220 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\tinyproxy\tinyproxy.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysftray2] c:\windows\bolivar27.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 Event Log (Eventlog) ;Event Log (Eventlog) ;c:\program files\tinyproxy\tinyproxy.exe [2008-12-2 8448]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-5 33752]

=============== Created Last 30 ================

2008-12-06 21:14 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 20:40 <DIR> --d----- c:\docume~1\admini~1\applic~1\Creative Memories Photo Center
2008-12-05 19:21 <DIR> --d----- c:\windows\system32\scripting
2008-12-05 19:21 <DIR> --d----- c:\windows\l2schemas
2008-12-05 19:21 <DIR> --d----- c:\windows\system32\en
2008-12-05 19:21 <DIR> --d----- c:\windows\system32\bits
2008-12-05 19:15 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-05 19:11 <DIR> --d----- c:\windows\network diagnostic
2008-12-05 16:45 <DIR> --d----- c:\program files\Panda Security
2008-12-05 13:00 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2008-12-05 13:00 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2008-12-05 13:00 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2008-12-05 13:00 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2008-12-05 13:00 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2008-12-05 13:00 8,704 a------- c:\windows\system32\kbdjpn.dll
2008-12-05 13:00 8,192 a------- c:\windows\system32\kbdkor.dll
2008-12-05 13:00 6,144 a------- c:\windows\system32\kbd106.dll
2008-12-05 13:00 6,144 a------- c:\windows\system32\kbd101c.dll
2008-12-05 13:00 5,632 a------- c:\windows\system32\kbd103.dll
2008-12-05 12:59 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2008-12-05 12:59 6,144 a------- c:\windows\system32\kbd101b.dll
2008-12-05 12:59 <DIR> --d----- C:\VersalSoft
2008-12-05 12:59 <DIR> --d----- c:\program files\VersalSoft
2008-12-05 12:59 <DIR> --d----- c:\program files\Universal
2008-12-02 20:55 <DIR> --d----- c:\program files\tinyproxy
2008-11-22 13:34 69,632 a------- c:\windows\system32\lfgif13n.dll
2008-11-22 13:34 462,848 a------- c:\windows\system32\ltkrn13n.dll
2008-11-22 13:34 450,560 a------- c:\windows\system32\ltimg13n.dll
2008-11-22 13:34 401,408 a------- c:\windows\system32\lfcmp13n.dll
2008-11-22 13:34 299,008 a------- c:\windows\system32\ltdis13n.dll
2008-11-22 13:34 206,336 a------- c:\windows\system32\ltefx13n.dll
2008-11-22 13:34 163,840 a------- c:\windows\system32\ltfil13n.dll
2008-11-22 13:34 57,344 a------- c:\windows\system32\lfbmp13n.dll
2008-11-19 13:24 <DIR> --d----- c:\windows\system32\appmgmt
2008-11-18 13:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative Memories
2008-11-18 13:11 <DIR> --d----- c:\docume~1\admini~1\applic~1\Creative Memories
2008-11-18 13:08 <DIR> --d----- c:\program files\Creative Memories
2008-11-14 21:37 <DIR> --d----- c:\program files\Lavasoft
2008-11-14 21:19 <DIR> --d----- c:\program files\NoAdware
2008-11-14 08:21 221,184 a------- c:\windows\system32\wmpns.dll
2008-11-13 20:31 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-11-13 20:31 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-13 20:31 <DIR> --d----- c:\program files\iPod
2008-11-13 20:30 <DIR> --d----- c:\program files\iTunes
2008-11-13 20:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-13 20:29 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-11-12 17:19 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2008-12-05 19:25 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys

============= FINISH: 22:41:44.56 ===============

[sUBs]

Let's send TinyProxy home

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[firefly50]

Thank you for speedy assistance. The browser is working much better. No more redirects. Here are the combo logs.

Thanks again,

ComboFix 08-12-06.04 - Administrator 2008-12-06 23:46:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.183 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WinXP_EN_PRO_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\TinyProxy
c:\program files\tinyproxy\tinyproxy.exe
c:\recycler\ADAPT_Installer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVENT_LOG_(EVENTLOG)_
-------\Service_Event Log (Eventlog)


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 22:46 . 2008-12-06 22:56 250 --a------ c:\windows\gmer.ini
2008-12-06 21:34 . 2008-12-06 21:37 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-06 21:14 . 2008-12-06 21:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 20:40 . 2008-12-05 20:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Creative Memories Photo Center
2008-12-05 19:21 . 2008-12-05 19:21 <DIR> d-------- c:\windows\system32\scripting
2008-12-05 19:21 . 2008-12-05 19:21 <DIR> d-------- c:\windows\system32\en
2008-12-05 19:21 . 2008-12-05 19:21 <DIR> d-------- c:\windows\system32\bits
2008-12-05 19:21 . 2008-12-05 19:21 <DIR> d-------- c:\windows\l2schemas
2008-12-05 19:15 . 2008-12-05 19:22 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-05 16:45 . 2008-12-05 18:16 <DIR> d-------- c:\program files\Panda Security
2008-12-05 13:00 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-05 13:00 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-05 13:00 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-05 13:00 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-05 13:00 . 2008-04-13 19:09 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-05 13:00 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-05 13:00 . 2008-04-13 19:09 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-12-05 13:00 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-05 13:00 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-05 13:00 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-12-05 12:59 . 2008-12-05 16:41 <DIR> d-------- C:\VersalSoft
2008-12-05 12:59 . 2008-12-05 12:59 <DIR> d-------- c:\program files\VersalSoft
2008-12-05 12:59 . 2008-12-05 12:59 <DIR> d-------- c:\program files\Universal
2008-12-05 12:59 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-05 12:59 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-22 13:34 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll
2008-11-22 13:34 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll
2008-11-22 13:34 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll
2008-11-22 13:34 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll
2008-11-22 13:34 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll
2008-11-22 13:34 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll
2008-11-22 13:34 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll
2008-11-22 13:34 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll
2008-11-18 13:11 . 2008-11-18 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative Memories
2008-11-18 13:11 . 2008-11-18 13:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Creative Memories
2008-11-18 13:08 . 2008-11-18 13:08 <DIR> d-------- c:\program files\Creative Memories
2008-11-14 21:37 . 2008-11-14 21:37 <DIR> d-------- c:\program files\Lavasoft
2008-11-14 21:37 . 2008-11-14 21:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-14 21:19 . 2008-11-14 22:00 <DIR> d-------- c:\program files\NoAdware
2008-11-14 08:21 . 2004-08-04 05:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-13 20:31 . 2008-11-13 20:31 <DIR> d-------- c:\program files\iPod
2008-11-13 20:31 . 2008-11-13 20:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-13 20:31 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-13 20:31 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-13 20:30 . 2008-11-13 20:31 <DIR> d-------- c:\program files\iTunes
2008-11-13 20:30 . 2008-11-13 20:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-13 20:30 . 2008-11-13 20:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-13 20:29 . 2008-11-13 20:31 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-13 20:29 . 2008-12-05 12:27 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-13 20:29 . 2008-11-13 20:29 <DIR> d-------- c:\program files\Apple Software Update
2008-11-13 20:29 . 2008-11-13 20:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-13 20:29 . 2008-10-01 13:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-12 17:19 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 02:34 --------- d-----w c:\program files\Google
2008-12-05 17:25 --------- d-----w c:\program files\Impossible Golf
2008-11-15 02:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-07 02:22 --------- d-----r c:\documents and settings\Administrator\Application Data\Brother
2008-11-06 15:21 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-06 03:38 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-06 03:33 --------- d-----w c:\program files\NOS
2008-11-06 03:33 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-04 14:48 --------- d-----w c:\program files\Microsoft Visual Studio .NET 2003
2008-11-04 14:47 --------- d-----w c:\program files\Common Files\Crystal Decisions
2008-11-04 14:46 --------- d-----w c:\program files\Microsoft SQL Server
2008-11-04 14:39 --------- d-----w c:\program files\Microsoft.NET
2008-11-04 14:39 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-12-06 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-05 33752]
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 23:49:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-06 23:51:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 04:51:34

Pre-Run: 29,170,638,848 bytes free
Post-Run: 29,332,467,712 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

152 --- E O F --- 2008-12-06 00:30:04

[sUBs]

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[firefly50]

Kaspersky scan yielded no results.

Thanks Again,

[sUBs]

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[firefly50]

Thanks again for your help.