AntiVirus 2009 popup

[timhenn]

My daughter has been using one of my older notebooks for some time. When you began reporting issues I found the machine disabled of its protection and infected with several things. I've run Windows Defender and CA ETrust Antivirus with the latest definitions. The multiple scans found and removed a number of items. The machine, however, still produces a popup when the browser loads. Clicking on anything loads an IE browser instance to download the AntiVirus 2009 software which is itself Malware. THe software was never installed (as far as I can tell) but I can't find the source of the popup dialog. In addition to this IE Browser's load with various web site's automatically, some very inappropriate for my daughter.

Last, WIndows Update has not been able to run since APril 2008. I've been through several solution steps none of them work. I'm thinking the infection has something to do with it which is why I'm focusing on that first.

Attached is the zip file requested.

Here is the DDS contents:

DDS (Version 1.1.0) - NTFSx86
Run by Megan at 15:45:16.95 on Sun 12/28/2008
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2046.846 [GMT -5:00]

AV: eTrust Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\locator.exe
C:\Program Files\IT Connection Manager\SRUserService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Tools\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://windiwsfsearch.com
uStart Page = hxxp://www.facebook.com/
uDefault_Page_URL = hxxp://www.windowsvista.com
uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uSearch Bar = hxxp://windiwsfsearch.com/ie6.html
uDefault_Search_URL = hxxp://windiwsfsearch.com
mDefault_Page_URL = hxxp://www.windowsvista.com
mDefault_Search_URL = hxxp://windiwsfsearch.com
mSearch Page = hxxp://windiwsfsearch.com
mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
mSearch Bar = hxxp://windiwsfsearch.com/ie6.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://windiwsfsearch.com
mSearchURL = hxxp://windiwsfsearch.com
mSearchAssistant = hxxp://windiwsfsearch.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: 512686 Class: {51b15f5a-e98b-4658-b9cb-9307b74773a7} - c:\windows\system32\512686\512686.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: MSIBF.BrowserHelper: {b4576668-9dd8-11d7-b7b5-00022d8648fc} - c:\program files\microsoft information bridge\1.5\framework\MSIBF.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [cmds] rundll32.exe c:\users\megan\appdata\local\temp\hggFwVll.dll,c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft firewall client 2004\FwcMgmt.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\microsoft firewall client 2004\FwcWsp.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ibf - {B4576669-9DD8-11D7-B7B5-00022D8648FC} - c:\program files\microsoft information bridge\1.5\framework\MSIBF.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\Thpdrv.sys [2007-1-11 16896]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.SYS [2007-1-11 6528]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 FwcAgent;Firewall Client Agent;"c:\program files\microsoft firewall client 2004\FwcAgent.exe" [2006-7-5 128856]
R2 SRUserService;IT Connection Manager;"c:\program files\it connection manager\SRUserService.exe" [2006-2-28 278672]
R2 WHSConnector;Windows Home Server Connector Service;"c:\program files\windows home server\WHSConnector.exe" [2008-6-18 326688]
R3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader;c:\windows\system32\drivers\gpr400.sys [2008-2-18 22528]
S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2008-6-18 46368]
S3 OMNCMBP;Omnikey AG CardMan 4000 PCMCIA Smart Card Reader;c:\windows\system32\drivers\cmbp0wdm.sys [2006-11-2 20608]
S4 CASHA;CA System Health Agent;"c:\program files\ca\sha\casha.exe" [2007-8-27 230704]

=============== Created Last 30 ================

2008-12-28 15:01 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 18:10 <DIR> --d----- c:\program files\eTrust
2008-12-27 16:20 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-12-27 16:19 83,456 a------- c:\windows\system32\wudriver.dll
2008-12-27 16:19 162,064 a------- c:\windows\system32\wuwebv.dll
2008-12-27 16:19 31,232 a------- c:\windows\system32\wuapp.exe
2008-12-26 02:03 <DIR> --d----- C:\Windows Home Server Drivers for Restore
2008-12-25 17:33 <DIR> --d----- c:\users\megan\appdata\roaming\Red Kawa
2008-12-25 17:18 <DIR> --d----- c:\users\megan\Converted Videos
2008-12-25 17:16 <DIR> --d----- c:\program files\AviSynth 2.5
2008-12-25 17:16 <DIR> --d----- c:\program files\Red Kawa
2008-12-25 17:16 <DIR> --d----- C:\OpenCandy
2008-12-25 14:16 <DIR> --d----- C:\ConverterOutput
2008-12-25 14:15 1,060,864 a------- c:\windows\system32\MFC71.DLL
2008-12-25 14:15 499,712 a------- c:\windows\system32\MSVCP71.DLL
2008-12-25 14:15 372,736 a------- c:\windows\system32\xvid.ax
2008-12-25 14:15 348,160 a------- c:\windows\system32\MSVCR71.DLL
2008-12-25 14:15 98,304 a------- c:\windows\system32\L3CODECX.AX
2008-12-25 14:15 <DIR> --d----- c:\program files\Cucusoft
2008-12-25 11:02 <DIR> --d----- c:\program files\iPod
2008-12-25 11:02 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 11:02 <DIR> --d----- c:\program files\iTunes
2008-12-25 11:02 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-12-28 14:18 13,025 a------- c:\users\megan\appdata\roaming\nvModes.dat
2008-10-15 17:12 51,200 a------- c:\windows\inf\infpub.dat
2008-10-09 21:11 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-09 21:11 86,016 a------- c:\windows\inf\infstor.dat
2008-02-18 13:52 174 a--sh--- c:\program files\desktop.ini
2008-02-18 13:38 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-13 17:28 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-03-13 17:28 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-03-13 17:28 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-04-14 18:59 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-04-14 18:59 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-04-14 18:59 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:46:49.53 ===============

Also worth mentioning, I uninstalled Limewire and Bittorrent before running the DDS/GMER capture but I did not reboot the machine before doing so. It isn't likely these programs were running (shouldn't have been) so a reboot wouldn't make a difference.

Let me know if additional information is needed -- I'm anxious to get this problem resolved.

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[timhenn]

first, after starting ComboFix I ignored two dialog boxes that said "incompatible OS" when I noticed it continued to run. During the creating log stage at the end I got another dialog that said "Find string (QGREP)...." error. Debug or close program. I closed the program and ComboFix continued to create the log. The contents of the log are below. I'm really interested to understand why the hxxp://HennessyServer:55000 is mentioned as possibly infected. This is my Microsoft Home Server (dunno about port 55000) but it would be very bad if the server is infected. Please advice.

Thanks for this service.


ComboFix 08-12-29.01 - Megan 2008-12-29 20:31:06.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2046.1117 [GMT -5:00]
Running from: c:\users\Megan\Desktop\ComboFix.exe
AV: eTrust Antivirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://HENNESSYSERVER:55000
hxxp://HUM-USP-01:80
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-28 15:51 . 2008-12-28 15:51 250 --a------ c:\windows\gmer.ini
2008-12-28 15:01 . 2008-12-28 15:01 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\eTrust
2008-12-27 16:20 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-27 16:20 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-27 16:20 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-27 16:20 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-27 16:19 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-27 16:19 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-27 16:19 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-27 16:19 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-27 16:19 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-12-25 17:33 . 2008-12-25 17:33 <DIR> d-------- c:\users\Megan\AppData\Roaming\Red Kawa
2008-12-25 17:18 . 2008-12-25 22:45 <DIR> d-------- c:\users\Megan\Converted Videos
2008-12-25 17:16 . 2008-12-25 17:16 <DIR> d-------- c:\program files\Red Kawa
2008-12-25 17:16 . 2008-12-25 17:16 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-25 17:16 . 2008-12-25 17:16 <DIR> d-------- C:\OpenCandy
2008-12-25 14:16 . 2008-12-25 14:16 <DIR> d-------- C:\ConverterOutput
2008-12-25 14:15 . 2008-12-25 14:15 <DIR> d-------- c:\program files\Cucusoft
2008-12-25 14:15 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\System32\MFC71.DLL
2008-12-25 14:15 . 2003-03-18 21:14 499,712 --a------ c:\windows\System32\MSVCP71.DLL
2008-12-25 14:15 . 2003-03-30 20:08 372,736 --a------ c:\windows\System32\xvid.ax
2008-12-25 14:15 . 2003-02-21 05:42 348,160 --a------ c:\windows\System32\MSVCR71.DLL
2008-12-25 14:15 . 2003-03-25 06:49 98,304 --a------ c:\windows\System32\L3CODECX.AX
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\program files\iTunes
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\program files\iPod
2008-11-23 14:25 . 2008-11-23 21:55 <DIR> d-------- c:\program files\7-Zip
2008-11-07 21:00 . 2008-11-07 21:00 <DIR> dr------- c:\users\Public\Videos
2008-11-03 15:41 . 2008-11-03 15:41 <DIR> d-------- c:\users\All Users\NVIDIA
2008-11-03 15:41 . 2008-11-03 15:41 <DIR> d-------- c:\programdata\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 20:39 --------- d-----w c:\program files\LimeWire
2008-12-28 19:19 --------- d-----w c:\users\Megan\AppData\Roaming\LimeWire
2008-12-28 19:18 13,025 ----a-w c:\users\Megan\AppData\Roaming\nvModes.dat
2008-12-28 06:39 --------- d-----w c:\users\Megan\AppData\Roaming\Any Video Converter Professional
2008-12-28 06:39 --------- d-----w c:\program files\Any Video Converter Professional
2008-12-27 21:27 --------- d-----w c:\program files\IT Connection Manager
2008-12-25 18:50 --------- d-----w c:\users\Megan\AppData\Roaming\Apple Computer
2008-04-06 20:44 13,119 ----a-w c:\users\timhenn\AppData\Roaming\nvModes.dat
2008-02-18 18:52 174 --sha-w c:\program files\desktop.ini
2008-01-22 21:05 719,626 ----a-w c:\users\timhenn\AppData\Roaming\timhenn.zip
2006-11-13 22:29 13,401 ----a-w c:\users\Administrator\AppData\Roaming\nvModes.dat
2006-05-14 03:34 20,480 ----a-w c:\users\timhenn\AppData\Roaming\CustomAction.dll
2008-03-13 22:28 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-13 22:28 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-13 22:28 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-01 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-01 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-01 81920]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-22 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-25 530552]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\users\timhenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-07-05 117592]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2008-07-08 554528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\northamerica.corp.microsoft.com\NETLOGON\AuditPolicy.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=killbrow.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-124525095-708259637-1543119021-19867\Scripts\Logon\0\0]
"Script"=script_wrapper.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"IPsecThroughNAT"= 2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{4E3782BD-E906-47B8-ACC2-583171BCFF5B}c:\\program files\\microsoft office communicator\\communicator.exe"= UDP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"UDP Query User{1FB65EF2-303E-4939-B246-52B56F018596}c:\\program files\\microsoft office communicator\\communicator.exe"= TCP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"{5326DDA6-969F-4FC5-91FA-B39E6EDF196A}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A5E6D063-0D69-40CD-95BF-22A97D9F5339}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FAB5989A-B748-4F58-8A9F-261A8E99D764}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A8BE4B0A-DA4B-48F4-98CE-DC381419570C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1B4A3878-F7E7-476E-8541-87D2FEA208DF}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{C0BF62F0-CEBF-4BAA-8A9B-50A7FE3C0E81}c:\\program files\\microsoft office communicator\\communicator.exe"= UDP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"UDP Query User{5102A047-823F-4626-9C65-9DC92011A0CC}c:\\program files\\microsoft office communicator\\communicator.exe"= TCP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"TCP Query User{26CE6D6F-DA25-49F1-BF86-063CAEB3CAEF}c:\\program files\\microsoft office communicator\\communicator.exe"= UDP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"UDP Query User{E1DF3F94-39E5-45A4-9E18-1B4F7DEE34F6}c:\\program files\\microsoft office communicator\\communicator.exe"= TCP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"{79DCAC9C-FB32-423D-9FD9-7C179AD542CA}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8FCAE9CD-0B0C-499D-9F2F-A6E4B400B78E}"= UDP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{5973EB95-6862-4672-9ACC-A66D31EE1412}"= TCP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{854A39FB-99CC-40B9-ACA8-C0DC7572628C}"= UDP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{BCDC531F-4F3A-4E23-B731-760CE83B18A2}"= TCP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{CE85C42D-5BE6-4AA8-9A1E-D3C9B0777CBA}"= UDP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{EEB8C9B4-B35A-45C0-8413-35212B2A81E5}"= TCP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{7A3305A1-EF31-4255-A024-013EA147ED8B}"= UDP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{48093D5C-E510-4356-8ABE-E6BE45406FB9}"= TCP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"TCP Query User{C979D0CC-81EA-4C1A-8960-2C1258507CED}c:\\program files\\microsoft office\\live meeting 8\\console\\pwconsole.exe"= UDP:c:\program files\microsoft office\live meeting 8\console\pwconsole.exe:Microsoft Office Live Meeting
"UDP Query User{F180375F-6532-426B-941E-97E60D7AEF28}c:\\program files\\microsoft office\\live meeting 8\\console\\pwconsole.exe"= TCP:c:\program files\microsoft office\live meeting 8\console\pwconsole.exe:Microsoft Office Live Meeting
"{7C269844-6D6A-4987-A7B6-1F022637F48A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{F076CF6C-3057-439D-AEC4-57C949EAF9FC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5BAB2B23-CD26-4F70-919A-C2EA87435120}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{938254B9-BAE7-46F0-955D-150CE80E55DE}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{1CCC0A49-99EB-4F9C-9923-4002972C80AE}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{44347BD1-0C8E-47A5-A71F-BEE43D97345A}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{7B3B3AA2-54A5-4924-85D1-DF0AB18F2B43}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{2C92036C-26BB-4C62-8DED-F59E8AC6B5AD}c:\\users\\megan\\program files\\dna\\btdna.exe"= UDP:c:\users\megan\program files\dna\btdna.exe:btdna.exe
"UDP Query User{6CC76578-0F26-4DE5-A19C-C68A82452A90}c:\\users\\megan\\program files\\dna\\btdna.exe"= TCP:c:\users\megan\program files\dna\btdna.exe:btdna.exe
"TCP Query User{70F82ED2-69FD-47FB-8A60-FBDE8F1A8F17}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{EADD69CE-D594-48C8-9F69-C7D2E3143114}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"{B55DE45E-8F02-40C4-A2BC-47C47DBA7B26}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5E1B629D-1734-4125-9604-3AFDD883E1B7}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{DBF50203-9837-487A-B0E5-F1A5FCF51BB9}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AC7754C2-D3AD-449C-A9AC-E3C830DC85D9}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{A1E08947-5E08-4709-AFB6-269BB6FFD844}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{7DF98EA6-3D84-46F5-8A67-A061C3A6A4C3}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{1312340D-8718-4121-ADBB-835206F689A1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BB40438-24D3-4D50-A029-3B3D15C4BC60}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\Thpdrv.sys [2007-01-11 16896]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-01-11 6528]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 FwcAgent;Firewall Client Agent;"c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe" [2006-07-05 128856]
R2 SRUserService;IT Connection Manager;"c:\program files\IT Connection Manager\SRUserService.exe" [2006-02-28 278672]
R2 WHSConnector;Windows Home Server Connector Service;"c:\program files\Windows Home Server\WHSConnector.exe" [2008-06-18 326688]
R3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader;c:\windows\system32\DRIVERS\gpr400.sys [2008-02-18 22528]
S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2008-06-18 46368]
S3 OMNCMBP;Omnikey AG CardMan 4000 PCMCIA Smart Card Reader;c:\windows\system32\DRIVERS\cmbp0wdm.sys [2006-11-02 20608]
S4 CASHA;CA System Health Agent;"c:\program files\CA\SHA\casha.exe" [2007-08-27 230704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05a769f3-6818-11dd-bcf2-000e7bb30898}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - PROCEXP90
*Newly Created Service* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\User_Feed_Synchronization-{0B4BDF5C-8B9D-4D7E-9395-C451E72A1667}.job
- c:\windows\system32\msfeedssync.exe [2008-01-18 23:33]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 20:36:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-29 20:43:16
ComboFix-quarantined-files.txt 2008-12-30 01:43:14

Pre-Run: 11,601,723,392 bytes free
Post-Run: 11,601,960,960 bytes free

192 --- E O F --- 2008-04-04 01:37:09

[tetonbob]

Your server must be using BITS. Malware exploits this. ComboFix parses the files, and if found to be other than MS URLs, will identify those URLs, and delete the BITS related tasks They get rebuilt upon reboot. Do not worry, all is well there.

Windows Vista is not an incompatible OS, which suggests some interference from your protections. Were they disabled before you ran ComboFix?

Please run DDS once again, and post it's logs.

[timhenn]

i did disable them, but I used a different method this time with Defender -- went into tools, etc. and shutoff real time within the app. Maybe that will make a difference. I did not get a popup when I opened the browser this time. Is it possible ComboFix "fixed" something??

Here is the DDS text, other files are attached in .zip


DDS (Version 1.1.0) - NTFSx86
Run by Megan at 8:57:06.53 on Tue 12/30/2008
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2046.1099 [GMT -5:00]

AV: eTrust Antivirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\locator.exe
C:\Program Files\IT Connection Manager\SRUserService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Tools\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://windiwsfsearch.com
mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
mSearch Bar = hxxp://windiwsfsearch.com/ie6.html
uInternet Settings,ProxyOverride = <local>
mSearchURL = hxxp://windiwsfsearch.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: MSIBF.BrowserHelper: {b4576668-9dd8-11d7-b7b5-00022d8648fc} - c:\program files\microsoft information bridge\1.5\framework\MSIBF.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft firewall client 2004\FwcMgmt.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\microsoft firewall client 2004\FwcWsp.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ibf - {B4576669-9DD8-11D7-B7B5-00022D8648FC} - c:\program files\microsoft information bridge\1.5\framework\MSIBF.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\Thpdrv.sys [2007-1-11 16896]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.SYS [2007-1-11 6528]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 FwcAgent;Firewall Client Agent;"c:\program files\microsoft firewall client 2004\FwcAgent.exe" [2006-7-5 128856]
R2 SRUserService;IT Connection Manager;"c:\program files\it connection manager\SRUserService.exe" [2006-2-28 278672]
R2 WHSConnector;Windows Home Server Connector Service;"c:\program files\windows home server\WHSConnector.exe" [2008-6-18 326688]
R3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader;c:\windows\system32\drivers\gpr400.sys [2008-2-18 22528]
S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2008-6-18 46368]
S3 OMNCMBP;Omnikey AG CardMan 4000 PCMCIA Smart Card Reader;c:\windows\system32\drivers\cmbp0wdm.sys [2006-11-2 20608]
S4 CASHA;CA System Health Agent;"c:\program files\ca\sha\casha.exe" [2007-8-27 230704]

=============== Created Last 30 ================

2008-12-28 15:51 250 a------- c:\windows\gmer.ini
2008-12-28 15:01 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 18:10 <DIR> --d----- c:\program files\eTrust
2008-12-27 16:20 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-12-27 16:19 83,456 a------- c:\windows\system32\wudriver.dll
2008-12-27 16:19 162,064 a------- c:\windows\system32\wuwebv.dll
2008-12-27 16:19 31,232 a------- c:\windows\system32\wuapp.exe
2008-12-25 17:33 <DIR> --d----- c:\users\megan\appdata\roaming\Red Kawa
2008-12-25 17:18 <DIR> --d----- c:\users\megan\Converted Videos
2008-12-25 17:16 <DIR> --d----- c:\program files\AviSynth 2.5
2008-12-25 17:16 <DIR> --d----- c:\program files\Red Kawa
2008-12-25 17:16 <DIR> --d----- C:\OpenCandy
2008-12-25 14:16 <DIR> --d----- C:\ConverterOutput
2008-12-25 14:15 1,060,864 a------- c:\windows\system32\MFC71.DLL
2008-12-25 14:15 499,712 a------- c:\windows\system32\MSVCP71.DLL
2008-12-25 14:15 372,736 a------- c:\windows\system32\xvid.ax
2008-12-25 14:15 348,160 a------- c:\windows\system32\MSVCR71.DLL
2008-12-25 14:15 98,304 a------- c:\windows\system32\L3CODECX.AX
2008-12-25 14:15 <DIR> --d----- c:\program files\Cucusoft
2008-12-25 11:02 <DIR> --d----- c:\program files\iPod
2008-12-25 11:02 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 11:02 <DIR> --d----- c:\program files\iTunes
2008-12-25 11:02 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-12-28 14:18 13,025 a------- c:\users\megan\appdata\roaming\nvModes.dat
2008-10-15 17:12 51,200 a------- c:\windows\inf\infpub.dat
2008-10-09 21:11 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-09 21:11 86,016 a------- c:\windows\inf\infstor.dat
2008-02-18 13:52 174 a--sh--- c:\program files\desktop.ini
2008-02-18 13:38 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-13 17:28 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-03-13 17:28 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-03-13 17:28 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 8:58:01.61 ===============

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   DDS::
   uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
   uDefault_Search_URL = hxxp://windiwsfsearch.com
   mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
   mSearch Bar = hxxp://windiwsfsearch.com/ie6.html
   mSearchURL = hxxp://windiwsfsearch.com
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
5. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
   • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
   • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
   • Click the "Download" button to the right.
   • Select the Windows platform from the dropdown menu.
   • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
   • Click on the link to download Windows Offline Installation and save the file to your desktop.
   • Close any programs you may have running - especially your web browser.
   • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
   • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
   • Click the Remove or Change/Remove button.
   • Repeat as many times as necessary to remove each Java versions.
   • Reboot your computer once all Java components are removed.
   • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
   • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
     • On the General tab, under Temporary Internet Files, click the Settings button.
     • Next, click on the Delete Files button
     • There are two options in the window to clear the cache - Leave BOTH Checked
       • Applications and Applets
         Trace and Log Files
     • Click OK on Delete Temporary Files Window
       Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
     • Click OK to leave the Temporary Files Window
     • Click OK to leave the Java Control Panel.
   
   ---------------------------------------------------------------------------------------------
   
6. Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner
   
   Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.
   
   **Note**
   
   To optimize scanning time and produce a more sensible report for review:
   • Close any open programs
   • Turn off the real time scanner of any existing antivirus program while performing the online scan.
   
   Click Accept, when prompted to download and install the program files and database of malware definitions.
   • Click Run at the Security prompt.
   • The program will then begin downloading and installing and will also update the database.
   • Please be patient as this can take several minutes.
   • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
   • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
   • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
   • Click View scan report at the bottom.
   • Click the Save Report As... button.
   • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   
   ---------------------------------------------------------------------------------------------

Post logs from ComboFix and Kaspersky

[timhenn]

The Kaspersky report is attached as a text file but the contents are in HTML format -- after a 6 hour scan it found no errors. The combofix log is below.

Can you tell me what you have found so far? I'm not getting the popup I had earlier when I open a browser or navigate to new sites. DId something get fixed?

Thanks,
Tim




ComboFix 08-12-29.02 - Megan 2008-12-30 13:34:17.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2046.892 [GMT -5:00]
Running from: c:\users\Megan\Desktop\ComboFix.exe
Command switches used :: c:\users\Megan\Desktop\cfscript.txt
AV: eTrust Antivirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-28 15:51 . 2008-12-30 09:00 250 --a------ c:\windows\gmer.ini
2008-12-28 15:01 . 2008-12-28 15:01 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\eTrust
2008-12-27 16:20 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-27 16:20 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-27 16:20 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-27 16:20 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-27 16:19 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-27 16:19 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-27 16:19 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-27 16:19 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-27 16:19 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-12-25 17:33 . 2008-12-25 17:33 <DIR> d-------- c:\users\Megan\AppData\Roaming\Red Kawa
2008-12-25 17:18 . 2008-12-25 22:45 <DIR> d-------- c:\users\Megan\Converted Videos
2008-12-25 17:16 . 2008-12-25 17:16 <DIR> d-------- c:\program files\Red Kawa
2008-12-25 17:16 . 2008-12-25 17:16 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-25 17:16 . 2008-12-25 17:16 <DIR> d-------- C:\OpenCandy
2008-12-25 14:16 . 2008-12-25 14:16 <DIR> d-------- C:\ConverterOutput
2008-12-25 14:15 . 2008-12-25 14:15 <DIR> d-------- c:\program files\Cucusoft
2008-12-25 14:15 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\System32\MFC71.DLL
2008-12-25 14:15 . 2003-03-18 21:14 499,712 --a------ c:\windows\System32\MSVCP71.DLL
2008-12-25 14:15 . 2003-03-30 20:08 372,736 --a------ c:\windows\System32\xvid.ax
2008-12-25 14:15 . 2003-02-21 05:42 348,160 --a------ c:\windows\System32\MSVCR71.DLL
2008-12-25 14:15 . 2003-03-25 06:49 98,304 --a------ c:\windows\System32\L3CODECX.AX
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\program files\iTunes
2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\program files\iPod
2008-11-23 14:25 . 2008-11-23 21:55 <DIR> d-------- c:\program files\7-Zip
2008-11-07 21:00 . 2008-11-07 21:00 <DIR> dr------- c:\users\Public\Videos
2008-11-03 15:41 . 2008-11-03 15:41 <DIR> d-------- c:\users\All Users\NVIDIA
2008-11-03 15:41 . 2008-11-03 15:41 <DIR> d-------- c:\programdata\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 20:39 --------- d-----w c:\program files\LimeWire
2008-12-28 19:19 --------- d-----w c:\users\Megan\AppData\Roaming\LimeWire
2008-12-28 19:18 13,025 ----a-w c:\users\Megan\AppData\Roaming\nvModes.dat
2008-12-28 06:39 --------- d-----w c:\users\Megan\AppData\Roaming\Any Video Converter Professional
2008-12-28 06:39 --------- d-----w c:\program files\Any Video Converter Professional
2008-12-27 21:27 --------- d-----w c:\program files\IT Connection Manager
2008-12-25 18:50 --------- d-----w c:\users\Megan\AppData\Roaming\Apple Computer
2008-04-06 20:44 13,119 ----a-w c:\users\timhenn\AppData\Roaming\nvModes.dat
2008-02-18 18:52 174 --sha-w c:\program files\desktop.ini
2008-01-22 21:05 719,626 ----a-w c:\users\timhenn\AppData\Roaming\timhenn.zip
2006-11-13 22:29 13,401 ----a-w c:\users\Administrator\AppData\Roaming\nvModes.dat
2006-05-14 03:34 20,480 ----a-w c:\users\timhenn\AppData\Roaming\CustomAction.dll
2008-03-13 22:28 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-13 22:28 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-13 22:28 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-29_20.37.19.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 19:13:55 2,418,360 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-12-30 01:47:18 2,418,360 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-12-28 19:18:02 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-30 01:48:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-28 19:18:02 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-30 01:48:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-29 10:14:29 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-30 05:15:55 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-30 05:15:55 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-12-28 19:19:32 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-30 01:51:18 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-12-29 19:22:50 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-30 17:24:14 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-29 19:22:50 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 17:24:14 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-28 19:18:06 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-30 17:24:14 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-30 01:30:46 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-30 18:33:52 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-12-28 19:27:56 106,952 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-30 01:56:50 106,952 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-28 19:27:56 608,030 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-30 01:56:50 608,030 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-27 21:52:39 4,872 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-12876878-2588173352-2620499328-1010_UserData.bin
+ 2008-12-30 01:52:07 4,920 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-12876878-2588173352-2620499328-1010_UserData.bin
- 2008-12-28 19:19:54 70,610 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-30 01:52:06 70,690 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-28 19:19:50 47,126 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-30 01:52:05 47,142 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-01 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-01 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-01 81920]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-22 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-25 530552]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\users\timhenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-07-05 117592]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2008-07-08 554528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\northamerica.corp.microsoft.com\NETLOGON\AuditPolicy.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=killbrow.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-124525095-708259637-1543119021-19867\Scripts\Logon\0\0]
"Script"=script_wrapper.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"IPsecThroughNAT"= 2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{4E3782BD-E906-47B8-ACC2-583171BCFF5B}c:\\program files\\microsoft office communicator\\communicator.exe"= UDP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"UDP Query User{1FB65EF2-303E-4939-B246-52B56F018596}c:\\program files\\microsoft office communicator\\communicator.exe"= TCP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"{5326DDA6-969F-4FC5-91FA-B39E6EDF196A}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A5E6D063-0D69-40CD-95BF-22A97D9F5339}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FAB5989A-B748-4F58-8A9F-261A8E99D764}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A8BE4B0A-DA4B-48F4-98CE-DC381419570C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1B4A3878-F7E7-476E-8541-87D2FEA208DF}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{C0BF62F0-CEBF-4BAA-8A9B-50A7FE3C0E81}c:\\program files\\microsoft office communicator\\communicator.exe"= UDP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"UDP Query User{5102A047-823F-4626-9C65-9DC92011A0CC}c:\\program files\\microsoft office communicator\\communicator.exe"= TCP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"TCP Query User{26CE6D6F-DA25-49F1-BF86-063CAEB3CAEF}c:\\program files\\microsoft office communicator\\communicator.exe"= UDP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"UDP Query User{E1DF3F94-39E5-45A4-9E18-1B4F7DEE34F6}c:\\program files\\microsoft office communicator\\communicator.exe"= TCP:c:\program files\microsoft office communicator\communicator.exe:Microsoft Office Communicator 2005
"{79DCAC9C-FB32-423D-9FD9-7C179AD542CA}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8FCAE9CD-0B0C-499D-9F2F-A6E4B400B78E}"= UDP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{5973EB95-6862-4672-9ACC-A66D31EE1412}"= TCP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{854A39FB-99CC-40B9-ACA8-C0DC7572628C}"= UDP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{BCDC531F-4F3A-4E23-B731-760CE83B18A2}"= TCP:c:\program files\Windows Home Server\Discovery.exe:Windows Home Server Connector
"{CE85C42D-5BE6-4AA8-9A1E-D3C9B0777CBA}"= UDP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{EEB8C9B4-B35A-45C0-8413-35212B2A81E5}"= TCP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{7A3305A1-EF31-4255-A024-013EA147ED8B}"= UDP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{48093D5C-E510-4356-8ABE-E6BE45406FB9}"= TCP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"TCP Query User{C979D0CC-81EA-4C1A-8960-2C1258507CED}c:\\program files\\microsoft office\\live meeting 8\\console\\pwconsole.exe"= UDP:c:\program files\microsoft office\live meeting 8\console\pwconsole.exe:Microsoft Office Live Meeting
"UDP Query User{F180375F-6532-426B-941E-97E60D7AEF28}c:\\program files\\microsoft office\\live meeting 8\\console\\pwconsole.exe"= TCP:c:\program files\microsoft office\live meeting 8\console\pwconsole.exe:Microsoft Office Live Meeting
"{7C269844-6D6A-4987-A7B6-1F022637F48A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{F076CF6C-3057-439D-AEC4-57C949EAF9FC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5BAB2B23-CD26-4F70-919A-C2EA87435120}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{938254B9-BAE7-46F0-955D-150CE80E55DE}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{1CCC0A49-99EB-4F9C-9923-4002972C80AE}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{44347BD1-0C8E-47A5-A71F-BEE43D97345A}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{7B3B3AA2-54A5-4924-85D1-DF0AB18F2B43}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{2C92036C-26BB-4C62-8DED-F59E8AC6B5AD}c:\\users\\megan\\program files\\dna\\btdna.exe"= UDP:c:\users\megan\program files\dna\btdna.exe:btdna.exe
"UDP Query User{6CC76578-0F26-4DE5-A19C-C68A82452A90}c:\\users\\megan\\program files\\dna\\btdna.exe"= TCP:c:\users\megan\program files\dna\btdna.exe:btdna.exe
"TCP Query User{70F82ED2-69FD-47FB-8A60-FBDE8F1A8F17}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{EADD69CE-D594-48C8-9F69-C7D2E3143114}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"{B55DE45E-8F02-40C4-A2BC-47C47DBA7B26}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5E1B629D-1734-4125-9604-3AFDD883E1B7}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{DBF50203-9837-487A-B0E5-F1A5FCF51BB9}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AC7754C2-D3AD-449C-A9AC-E3C830DC85D9}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{A1E08947-5E08-4709-AFB6-269BB6FFD844}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{7DF98EA6-3D84-46F5-8A67-A061C3A6A4C3}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{1312340D-8718-4121-ADBB-835206F689A1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BB40438-24D3-4D50-A029-3B3D15C4BC60}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\Thpdrv.sys [2007-01-11 16896]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-01-11 6528]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 FwcAgent;Firewall Client Agent;"c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe" [2006-07-05 128856]
R2 SRUserService;IT Connection Manager;"c:\program files\IT Connection Manager\SRUserService.exe" [2006-02-28 278672]
R2 WHSConnector;Windows Home Server Connector Service;"c:\program files\Windows Home Server\WHSConnector.exe" [2008-06-18 326688]
R3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader;c:\windows\system32\DRIVERS\gpr400.sys [2008-02-18 22528]
S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2008-06-18 46368]
S3 OMNCMBP;Omnikey AG CardMan 4000 PCMCIA Smart Card Reader;c:\windows\system32\DRIVERS\cmbp0wdm.sys [2006-11-02 20608]
S4 CASHA;CA System Health Agent;"c:\program files\CA\SHA\casha.exe" [2007-08-27 230704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05a769f3-6818-11dd-bcf2-000e7bb30898}]
\shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\User_Feed_Synchronization-{0B4BDF5C-8B9D-4D7E-9395-C451E72A1667}.job
- c:\windows\system32\msfeedssync.exe [2008-01-18 23:33]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 13:36:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 13:42:11
ComboFix-quarantined-files.txt 2008-12-30 18:42:08
ComboFix2.txt 2008-12-30 01:43:17

Pre-Run: 13,618,331,648 bytes free
Post-Run: 13,372,739,584 bytes free

213 --- E O F --- 2008-04-04 01:37:09

[tetonbob]

Yes, something got fixed. You were fortunate, the files were still only running from TEMP, which got cleared. Vista is more difficult for many infections to take hold, though it's certainly not invulnerable by any stretch. Vista's User Account Control (UAC) is a big part of that.


Your logs appear clean.You should be good to go. We still have a few items to address.

Press the Windows key + R to open the Run box -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[timhenn]

Wow, what a process -- thanks for this service. I purchased a family pack bundle of Avast which will protect my home server as well as all my home desktop machines. Any comments, pro or con, on this package would be interesting.

I still can't run windows update, but, that's apparently another issue unrelated to the malware/virus I had.


Thanks again for the links and information, great help which I will pass on to others in need.

Tim

[tetonbob]

Frequently, infections do block Windows Update, but ComboFix will generally clear that issue. You may wish to seek assistance with that in the Windows Vista section of the forums, let them know you've been here and been cleared of malware. It may have to do with your MS Server arrangement...did the issue arise (April 2008) near the same time as you began using the server? I'm not well versed in that, but you'll find support in the Vista or Networking sections if that's the case. Be sure to let them know exactly what happens when you try to update. Exact error messages, if any, etc...

As to your choice of Avast, it's fine. I use it on one of my machines. I use NOD32 on another. I would also say to be sure to uninstall eTrust completely before installing the new antivirus. Having two installed on the same machine can lead to conflict. You may be interested in viewing this site:

http://www.av-comparatives.org/

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.