IE links send me to ad sites

[p4tech]

Good day and thank you for taking a look at my problem.

Late last week search engine links started to redirect me to ad sites and I also noticed that I was running 3 to 4 IE's at the same time.

I was using nod 32 and believe that Advanced system care is the only adware program I have.

I tried running GMER, but it did not run when opened. However, Task Manager shows that it was/is open.



DDS (Ver_09-05-14.01) - NTFSx86
Run by customer at 8:55:59.54 on Mon 05/18/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.599 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.toshiba.com/search
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {A2595F37-48D0-46A1-9B51-478591A97764} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [TOSHIBA Accessibility] c:\program files\toshiba\accessibility\FnKeyHook.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Notebook Maximizer] c:\program files\notebook maximizer\maximizer_startup.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\customer\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242398740312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

============= SERVICES / DRIVERS ===============

S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2006-12-4 116078]

=============== Created Last 30 ================

2009-05-15 11:56 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-15 11:56 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-15 11:56 17,408 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-05-15 11:56 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-05-15 11:54 35,871 ac------ c:\windows\system32\dllcache\wbfirdma.sys
2009-05-15 11:53 7,556 ac------ c:\windows\system32\dllcache\usroslba.sys
2009-05-15 11:52 216,064 ac------ c:\windows\system32\dllcache\um34scan.dll
2009-05-15 11:51 28,232 ac------ c:\windows\system32\dllcache\tos4mo.sys
2009-05-15 11:50 103,936 ac------ c:\windows\system32\dllcache\sx.sys
2009-05-15 11:49 37,040 ac------ c:\windows\system32\dllcache\sonypi.sys
2009-05-15 11:48 188,508 ac------ c:\windows\system32\dllcache\slgen.dll
2009-05-15 11:47 6,784 ac------ c:\windows\system32\dllcache\serscan.sys
2009-05-15 11:46 62,496 ac------ c:\windows\system32\dllcache\s3mtrio.dll
2009-05-15 11:45 714,762 ac------ c:\windows\system32\dllcache\r2mdmkxx.sys
2009-05-15 11:44 7,552 ac------ c:\windows\system32\dllcache\powerfil.sys
2009-05-15 11:43 41,984 ac------ c:\windows\system32\dllcache\ovui2rc.dll
2009-05-15 11:42 51,552 ac------ c:\windows\system32\dllcache\ntgrip.sys
2009-05-15 11:41 75,520 ac------ c:\windows\system32\dllcache\mxport.sys
2009-05-15 11:40 320,384 ac------ c:\windows\system32\dllcache\mgaum.sys
2009-05-15 11:39 34,688 ac------ c:\windows\system32\dllcache\lbrtfdc.sys
2009-05-15 11:38 45,056 ac------ c:\windows\system32\dllcache\icam5com.dll
2009-05-15 11:37 57,471 ac------ c:\windows\system32\dllcache\hsf_samp.sys
2009-05-15 11:36 119,296 ac------ c:\windows\system32\dllcache\hpdigwia.dll
2009-05-15 11:35 16,074 ac------ c:\windows\system32\dllcache\fa312nd5.sys
2009-05-15 11:34 70,174 ac------ c:\windows\system32\dllcache\el98xn5.sys
2009-05-15 11:33 419,357 ac------ c:\windows\system32\dllcache\dgconfig.dll
2009-05-15 11:32 27,164 ac------ c:\windows\system32\dllcache\ce3n5.sys
2009-05-15 11:31 281,600 ac------ c:\windows\system32\dllcache\atimtai.sys
2009-05-15 11:17 <DIR> --d----- c:\program files\IObit
2009-05-15 11:17 <DIR> --d----- c:\docume~1\customer\applic~1\IObit
2009-05-15 10:44 <DIR> --dsh--- c:\documents and settings\customer\PrivacIE
2009-05-15 10:44 <DIR> --dsh--- c:\documents and settings\customer\IECompatCache
2009-05-15 10:43 <DIR> --dsh--- c:\documents and settings\customer\IETldCache
2009-05-15 10:40 78,336 ac------ c:\windows\system32\dllcache\ieencode.dll
2009-05-15 10:40 78,336 a------- c:\windows\system32\ieencode.dll
2009-05-13 15:02 6,144 a------- c:\windows\system32\iehelper.dll
2009-04-24 10:12 2,838 a------- c:\windows\machine.ver
2009-04-24 10:12 67 a------- c:\windows\swupdate.INI

==================== Find3M ====================

2008-04-02 18:25 4,096 a------- c:\documents and settings\customer\DesktopFWebdEditor.exe
2008-04-02 18:25 4,096 a------- c:\documents and settings\customer\Desktopfwebd.exe
2008-04-02 18:25 4,096 a------- c:\documents and settings\customer\Desktopfkwp2.0.exe
2008-04-02 18:25 4,096 a------- c:\documents and settings\customer\Desktopfkwp1.5.exe
2008-04-02 18:25 4,096 a------- c:\documents and settings\customer\Desktopfilemanagerclient.exe
2008-04-02 18:25 4,096 a------- c:\documents and settings\customer\DesktopEditorFKWP2.0.exe
2008-04-02 18:25 4,096 a------- c:\documents and settings\customer\DesktopEditorFKWP1.5.exe
2007-12-05 16:54 164 a------- c:\docume~1\customer\applic~1\wklnhst.dat
2003-11-03 00:52 301,321 a------- c:\documents and settings\all users\Office 2003 Editions 60 Day Trial.exe
2008-04-04 13:19 193,054 a--sh--- c:\windows\system32\TuxEffii.ini2

============= FINISH: 8:56:58.79 ===============

[tetonbob]

Hello, and welcome.

Quote:

I was using nod 32

What happened to it? I don't see it installed any longer.

Let's see if we can get a GMER log.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

@echo off
copy /y gmer.exe omer.exe
start omer

Save this as run.bat Choose to "Save type as - All Files" next to gmer.exe
It should look like this:
Double click on run.bat & allow it to run

Then, use these settings to produce a log.

• If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan:
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[p4tech]

(1) nod 32 - ran out of funds to renew

(2) running of run.bat gave me an eror of "windows cannot find "omer". Make sure file name is correct etc.

and I noticed that Spyware Protect 2009 is now running this morning; it has hijacked IE to a point that IE only open a screen that only contains a link to upgrade SWP 2009.

[tetonbob]

OK, we'll address the lack of AV during the course of this fix. I will let you know when. There are excellent FREE antivirus available, so there's no reason for a machine to be unprotected.

The main reason I can think of for that message is that gmer.exe is not next to the batch file.

Let's try this special version of gmer.


Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[p4tech]

That worked.

[tetonbob]

That shows the culprit, and what I expected.

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------


Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
   
   Link 1
   Link 2
   Link 3
   
   
   
   
   
   
   --------------------------------------------------------------------
   
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combo-fix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[p4tech]

Had some errors while Combo fix was running; but I just followed the instructions on-screen.

on 1st reboot got:

pev.exe encountered a problem and must be closed <ok>

Combofix gave: ERROR - it is not safe to continue - contents of Combofix has been compromised, download a fresh copy .... <ok>

than ERROR says: You maybe infected with a file patching virus (Virut) <ok>

I deleted Combofix, than loaded a fresh copy and ran it ... no errors seen on second try. log follows:

ComboFix 09-05-19.02 - customer 05/19/2009 13:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.685 [GMT -4:00]
Running from: c:\documents and settings\customer\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Online Security Guide.url
c:\documents and settings\All Users\Start Menu\Security Troubleshooting.url
c:\documents and settings\customer\Desktopblackbird.jpg
c:\documents and settings\customer\DesktopEditorFKWP1.5.exe
c:\documents and settings\customer\DesktopEditorFKWP2.0.exe
c:\documents and settings\customer\Desktopfilemanagerclient.exe
c:\documents and settings\customer\Desktopfkwp1.5.exe
c:\documents and settings\customer\Desktopfkwp2.0.exe
c:\documents and settings\customer\Desktopfwebd.exe
c:\documents and settings\customer\DesktopFWebdEditor.exe
c:\documents and settings\customer\Desktopvirii
c:\documents and settings\customer\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
c:\documents and settings\customer\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
c:\documents and settings\customer\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
c:\documents and settings\customer\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
c:\documents and settings\customer\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
c:\program files\akl
c:\program files\akl\akl.dll
c:\program files\akl\akl.exe
c:\program files\akl\uninstall.exe
c:\program files\akl\unsetup.exe
c:\program files\Inet Delivery
c:\program files\Inet Delivery\inetdl.exe
c:\program files\Inet Delivery\intdel.exe
C:\u.exe
c:\windows\a.bat
c:\windows\adaway.lic
c:\windows\bdn.com
c:\windows\dwltqnmx.exe
c:\windows\fkdnrwsv.dll
c:\windows\FVProtect.exe
c:\windows\IE4 Error Log.txt
c:\windows\iTunesMusic.exe
c:\windows\mslagent
c:\windows\mslagent\2_mslagent.dll
c:\windows\mslagent\mslagent.exe
c:\windows\mslagent\uninstall.exe
c:\windows\mssecu.exe
c:\windows\sxfnewqb.dll
c:\windows\sysguard.exe
c:\windows\system32\drivers\UACjixjrvjoewsrnti.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\jlatirbp.ini
c:\windows\system32\TuxEffii.ini
c:\windows\system32\TuxEffii.ini2
c:\windows\system32\UACbabbsuvxvrqarwr.dat
c:\windows\system32\UACetxulhjjiyiuheq.dll
c:\windows\system32\UAChlgfldkackkwqdh.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACixdabquxqjwulfb.log
c:\windows\system32\UAClwgwvollthqjmpm.dll
c:\windows\system32\UACnmfhktjahlwoprm.log
c:\windows\system32\UACqhipxmpfaiqjwcp.dll
c:\windows\system32\UACrqpqekbiroyfvem.dll
c:\windows\system32\UACukykstywwmowyus.log
c:\windows\system32akttzn.exe
c:\windows\system32anticipator.dll
c:\windows\system32awtoolb.dll
c:\windows\system32bdn.com
c:\windows\system32bsva-egihsg52.exe
c:\windows\system32dpcproxy.exe
c:\windows\system32emesx.dll
c:\windows\system32h@tkeysh@@k.dll
c:\windows\system32hoproxy.dll
c:\windows\system32hxiwlgpm.dat
c:\windows\system32hxiwlgpm.exe
c:\windows\system32medup012.dll
c:\windows\system32medup020.dll
c:\windows\system32msgp.exe
c:\windows\system32msnbho.dll
c:\windows\system32mssecu.exe
c:\windows\system32msvchost.exe
c:\windows\system32mtr2.exe
c:\windows\system32mwin32.exe
c:\windows\system32netode.exe
c:\windows\system32newsd32.exe
c:\windows\system32ps1.exe
c:\windows\system32psof1.exe
c:\windows\system32psoft1.exe
c:\windows\system32regc64.dll
c:\windows\system32regm64.dll
c:\windows\system32Rundl1.exe
c:\windows\system32sncntr.exe
c:\windows\system32ssurf022.dll
c:\windows\system32ssvchost.com
c:\windows\system32ssvchost.exe
c:\windows\system32sysreq.exe
c:\windows\system32taack.dat
c:\windows\system32taack.exe
c:\windows\system32temp#01.exe
c:\windows\system32thun.dll
c:\windows\system32thun32.dll
c:\windows\system32VBIEWER.OCX
c:\windows\system32vbsys2.dll
c:\windows\system32vcatchpi.dll
c:\windows\system32winlogonpc.exe
c:\windows\system32winsystem.exe
c:\windows\system32WINWGPX.EXE
c:\windows\userconfig9x.dll
c:\windows\winsystem.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-18 19:40 . 2009-05-18 19:40 52224 ----a-w c:\windows\system32\drivers\UACdupfuiqhtprnrwi.sys
2009-05-15 15:56 . 2004-08-04 04:56 116224 -c--a-w c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-15 15:56 . 2001-08-18 02:36 23040 -c--a-w c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-15 15:56 . 2001-08-18 02:36 17408 -c--a-w c:\windows\system32\dllcache\xrxscnui.dll
2009-05-15 15:56 . 2001-08-18 02:37 27648 -c--a-w c:\windows\system32\dllcache\xrxftplt.exe
2009-05-15 15:54 . 2001-08-17 16:10 35871 -c--a-w c:\windows\system32\dllcache\wbfirdma.sys
2009-05-15 15:53 . 2001-08-17 17:28 7556 -c--a-w c:\windows\system32\dllcache\usroslba.sys
2009-05-15 15:52 . 2001-08-18 02:36 216064 -c--a-w c:\windows\system32\dllcache\um34scan.dll
2009-05-15 15:51 . 2001-08-17 16:10 28232 -c--a-w c:\windows\system32\dllcache\tos4mo.sys
2009-05-15 15:50 . 2001-08-17 17:50 103936 -c--a-w c:\windows\system32\dllcache\sx.sys
2009-05-15 15:49 . 2001-08-17 16:51 37040 -c--a-w c:\windows\system32\dllcache\sonypi.sys
2009-05-15 15:48 . 2004-08-04 04:56 188508 -c--a-w c:\windows\system32\dllcache\slgen.dll
2009-05-15 15:47 . 2001-08-17 17:53 6784 -c--a-w c:\windows\system32\dllcache\serscan.sys
2009-05-15 15:46 . 2001-08-18 02:36 62496 -c--a-w c:\windows\system32\dllcache\s3mtrio.dll
2009-05-15 15:45 . 2001-08-17 17:28 714762 -c--a-w c:\windows\system32\dllcache\r2mdmkxx.sys
2009-05-15 15:44 . 2001-08-17 17:53 7552 -c--a-w c:\windows\system32\dllcache\powerfil.sys
2009-05-15 15:43 . 2001-08-18 02:36 41984 -c--a-w c:\windows\system32\dllcache\ovui2rc.dll
2009-05-15 15:42 . 2001-08-17 16:49 51552 -c--a-w c:\windows\system32\dllcache\ntgrip.sys
2009-05-15 15:41 . 2001-08-17 17:50 75520 -c--a-w c:\windows\system32\dllcache\mxport.sys
2009-05-15 15:40 . 2001-08-17 16:50 320384 -c--a-w c:\windows\system32\dllcache\mgaum.sys
2009-05-15 15:39 . 2004-08-04 02:59 34688 -c--a-w c:\windows\system32\dllcache\lbrtfdc.sys
2009-05-15 15:38 . 2001-08-18 02:36 45056 -c--a-w c:\windows\system32\dllcache\icam5com.dll
2009-05-15 15:37 . 2001-08-17 17:28 57471 -c--a-w c:\windows\system32\dllcache\hsf_samp.sys
2009-05-15 15:36 . 2001-08-18 02:36 119296 -c--a-w c:\windows\system32\dllcache\hpdigwia.dll
2009-05-15 15:35 . 2001-08-17 16:12 16074 -c--a-w c:\windows\system32\dllcache\fa312nd5.sys
2009-05-15 15:34 . 2001-08-17 16:11 70174 -c--a-w c:\windows\system32\dllcache\el98xn5.sys
2009-05-15 15:33 . 2001-08-18 02:36 419357 -c--a-w c:\windows\system32\dllcache\dgconfig.dll
2009-05-15 15:32 . 2001-08-17 16:13 27164 -c--a-w c:\windows\system32\dllcache\ce3n5.sys
2009-05-15 15:31 . 2004-08-04 02:29 57856 -c--a-w c:\windows\system32\dllcache\atinbtxx.sys
2009-05-15 15:17 . 2009-05-15 15:26 -------- d-----w c:\documents and settings\customer\Application Data\IObit
2009-05-15 15:17 . 2009-05-15 15:17 -------- d-----w c:\program files\IObit
2009-05-15 14:44 . 2009-05-15 14:44 -------- d-sh--w c:\documents and settings\customer\PrivacIE
2009-05-15 14:44 . 2009-05-15 14:44 -------- d-sh--w c:\documents and settings\customer\IECompatCache
2009-05-15 14:43 . 2009-05-15 14:43 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-15 14:43 . 2009-05-15 14:43 -------- d-sh--w c:\documents and settings\customer\IETldCache
2009-05-15 14:40 . 2006-10-17 17:06 78336 -c--a-w c:\windows\system32\dllcache\ieencode.dll
2009-05-15 14:40 . 2006-10-17 17:06 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-28 16:43 . 2009-04-28 16:49 -------- d-----w c:\documents and settings\customer\Local Settings\Application Data\Runscanner.net

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 18:08 . 2007-12-28 14:14 -------- d-----w c:\program files\DivX
2009-05-15 16:03 . 2005-05-13 04:49 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-15 15:27 . 2006-07-15 15:43 -------- d-----w c:\program files\Quicken WillMaker Plus 2006
2009-04-28 14:12 . 2005-05-13 04:50 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 14:16 . 2005-05-13 06:17 -------- d-----w c:\program files\Quicken
2009-04-24 14:09 . 2006-12-11 21:44 -------- d-----w c:\program files\ESET
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-05-01 2329936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 53248]
"TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-03-08 24576]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-29 675840]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 65536]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 28672]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-04-20 28672]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-12-28 270336]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2004-05-01 24576]

c:\documents and settings\customer\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-12 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-5-13 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 8 Advanced\\FileMaker Pro Advanced.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=

S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [12/4/2006 12:12 PM 116078]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 13:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2896)
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-19 13:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 17:17

Pre-Run: 47,958,048,768 bytes free
Post-Run: 47,895,433,216 bytes free

273

[tetonbob]

Logs don't appear to show signs of a file infector, but let's scan a couple core files to help be sure.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  C:\WINDOWS\Explorer.EXE
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply.
  
• Please repeat for the following files:
  
  • 
    C:\WINDOWS\System32\svchost.exe
    

[p4tech]

Ran explorer.exe

File explorer.exe received on 05.19.2009 19:39:29 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)

now running svchost.ex

[p4tech]

svchost results:

File svchost.exe received on 05.19.2009 19:44:23 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)

[tetonbob]

Ok, good.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Code:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/377089-ie-links-send-me-ad-sites.html#post2144495
   File::
   C:\Documents and Settings\customer\Local Settings\Temp\UAC93a.tmp
   C:\Documents and Settings\customer\Local Settings\Temp\UACf898.tmp
   Folder::
   C:\Program Files\Eset
   Registry::
   [HKEY_LOCAL_MACHINE\software\microsoft\security center]
   "AntiVirusOverride"=dword:00000000
   Collect::
   c:\windows\system32\drivers\UACdupfuiqhtprnrwi.sys

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   **Note**
   
   When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
   • Ensure you are connected to the internet and click OK on the message box.
   If you do not get a message box, please do the following:
   
   There should be a file named [4]-Submit_date@time.zip with today's date, located here:
   
   C:\QooBox\Quarantine\[4]-Submit_date@time.zip
   
   Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4
   
   Please let me know if you successfully submitted the file. Thanks.
   
   ------------------------------------------------------
   
5. Ensure your AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

[p4tech]

(1) Combofix had update <ok>
(2) at end of generating log it asked to upload malware automatically <ok>
(3) log

ComboFix 09-05-19.04 - customer 05/19/2009 13:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.679 [GMT -4:00]
Running from: c:\documents and settings\customer\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\customer\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\customer\Local Settings\Temp\UAC93a.tmp
c:\documents and settings\customer\Local Settings\Temp\UACf898.tmp

file zipped: c:\windows\system32\drivers\UACdupfuiqhtprnrwi.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Eset
c:\program files\Eset\Install\advheur.nup
c:\program files\Eset\Install\archs.nup
c:\program files\Eset\Install\charon.nup
c:\program files\Eset\Install\engine.nup
c:\program files\Eset\Install\main.dll
c:\program files\Eset\Install\mfc42.dll
c:\program files\Eset\Install\mfc42u.dll
c:\program files\Eset\Install\msvcrt.dll
c:\program files\Eset\Install\ntbaseen.nup
c:\program files\Eset\Install\ntineten.nup
c:\program files\Eset\Install\ntstden.nup
c:\program files\Eset\Install\pwscan.nup
c:\program files\Eset\Install\readme.txt
c:\program files\Eset\Install\setup.exe
c:\program files\Eset\Install\setup.xml
c:\program files\Eset\Install\utilmod.nup
c:\program files\Eset\nod32.007
c:\windows\system32\drivers\UACdupfuiqhtprnrwi.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-15 15:56 . 2004-08-04 04:56 116224 -c--a-w c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-15 15:56 . 2001-08-18 02:36 23040 -c--a-w c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-15 15:56 . 2001-08-18 02:36 17408 -c--a-w c:\windows\system32\dllcache\xrxscnui.dll
2009-05-15 15:56 . 2001-08-18 02:37 27648 -c--a-w c:\windows\system32\dllcache\xrxftplt.exe
2009-05-15 15:54 . 2001-08-17 16:10 35871 -c--a-w c:\windows\system32\dllcache\wbfirdma.sys
2009-05-15 15:53 . 2001-08-17 17:28 7556 -c--a-w c:\windows\system32\dllcache\usroslba.sys
2009-05-15 15:52 . 2001-08-18 02:36 216064 -c--a-w c:\windows\system32\dllcache\um34scan.dll
2009-05-15 15:51 . 2001-08-17 16:10 28232 -c--a-w c:\windows\system32\dllcache\tos4mo.sys
2009-05-15 15:50 . 2001-08-17 17:50 103936 -c--a-w c:\windows\system32\dllcache\sx.sys
2009-05-15 15:49 . 2001-08-17 16:51 37040 -c--a-w c:\windows\system32\dllcache\sonypi.sys
2009-05-15 15:48 . 2004-08-04 04:56 188508 -c--a-w c:\windows\system32\dllcache\slgen.dll
2009-05-15 15:47 . 2001-08-17 17:53 6784 -c--a-w c:\windows\system32\dllcache\serscan.sys
2009-05-15 15:46 . 2001-08-18 02:36 62496 -c--a-w c:\windows\system32\dllcache\s3mtrio.dll
2009-05-15 15:45 . 2001-08-17 17:28 714762 -c--a-w c:\windows\system32\dllcache\r2mdmkxx.sys
2009-05-15 15:44 . 2001-08-17 17:53 7552 -c--a-w c:\windows\system32\dllcache\powerfil.sys
2009-05-15 15:43 . 2001-08-18 02:36 41984 -c--a-w c:\windows\system32\dllcache\ovui2rc.dll
2009-05-15 15:42 . 2001-08-17 16:49 51552 -c--a-w c:\windows\system32\dllcache\ntgrip.sys
2009-05-15 15:41 . 2001-08-17 17:50 75520 -c--a-w c:\windows\system32\dllcache\mxport.sys
2009-05-15 15:40 . 2001-08-17 16:50 320384 -c--a-w c:\windows\system32\dllcache\mgaum.sys
2009-05-15 15:39 . 2004-08-04 02:59 34688 -c--a-w c:\windows\system32\dllcache\lbrtfdc.sys
2009-05-15 15:38 . 2001-08-18 02:36 45056 -c--a-w c:\windows\system32\dllcache\icam5com.dll
2009-05-15 15:37 . 2001-08-17 17:28 57471 -c--a-w c:\windows\system32\dllcache\hsf_samp.sys
2009-05-15 15:36 . 2001-08-18 02:36 119296 -c--a-w c:\windows\system32\dllcache\hpdigwia.dll
2009-05-15 15:35 . 2001-08-17 16:12 16074 -c--a-w c:\windows\system32\dllcache\fa312nd5.sys
2009-05-15 15:34 . 2001-08-17 16:11 70174 -c--a-w c:\windows\system32\dllcache\el98xn5.sys
2009-05-15 15:33 . 2001-08-18 02:36 419357 -c--a-w c:\windows\system32\dllcache\dgconfig.dll
2009-05-15 15:32 . 2001-08-17 16:13 27164 -c--a-w c:\windows\system32\dllcache\ce3n5.sys
2009-05-15 15:31 . 2004-08-04 02:29 57856 -c--a-w c:\windows\system32\dllcache\atinbtxx.sys
2009-05-15 15:17 . 2009-05-15 15:26 -------- d-----w c:\documents and settings\customer\Application Data\IObit
2009-05-15 15:17 . 2009-05-15 15:17 -------- d-----w c:\program files\IObit
2009-05-15 14:44 . 2009-05-15 14:44 -------- d-sh--w c:\documents and settings\customer\PrivacIE
2009-05-15 14:44 . 2009-05-15 14:44 -------- d-sh--w c:\documents and settings\customer\IECompatCache
2009-05-15 14:43 . 2009-05-15 14:43 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-15 14:43 . 2009-05-15 14:43 -------- d-sh--w c:\documents and settings\customer\IETldCache
2009-05-15 14:40 . 2006-10-17 17:06 78336 -c--a-w c:\windows\system32\dllcache\ieencode.dll
2009-05-15 14:40 . 2006-10-17 17:06 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-28 16:43 . 2009-04-28 16:49 -------- d-----w c:\documents and settings\customer\Local Settings\Application Data\Runscanner.net

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 18:08 . 2007-12-28 14:14 -------- d-----w c:\program files\DivX
2009-05-15 16:03 . 2005-05-13 04:49 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-15 15:27 . 2006-07-15 15:43 -------- d-----w c:\program files\Quicken WillMaker Plus 2006
2009-04-28 14:12 . 2005-05-13 04:50 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 14:16 . 2005-05-13 06:17 -------- d-----w c:\program files\Quicken
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-05-01 2329936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 53248]
"TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-03-08 24576]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-29 675840]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 65536]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 28672]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-04-20 28672]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-12-28 270336]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2004-05-01 24576]

c:\documents and settings\customer\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-12 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-5-13 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 8 Advanced\\FileMaker Pro Advanced.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=

S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [12/4/2006 12:12 PM 116078]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-05-19 14:02
ComboFix-quarantined-files.txt 2009-05-19 18:01
ComboFix2.txt 2009-05-19 17:18

Pre-Run: 47,872,798,720 bytes free
Post-Run: 47,860,957,184 bytes free

168
Upload was successful

[tetonbob]

Good. Next steps...protection.


Install this FREE AntiVirus program, update it, and run a full system scan. This is in addition to the quick scan suggested upon installation

Avira AntiVir Personal

There is an installation guide here

When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply. Do not be overly concerned with the results. Many may be in quarantine.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------

[p4tech]

Thanks log follows:



Avira AntiVir Personal
Report file date: Tuesday, May 19, 2009 14:22

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : TOSHIBA-BOB

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 13:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 12:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 19:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 01:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 16:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 1810
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 20:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 1810
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 19:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, May 19, 2009 14:22

Starting search for hidden objects.
'39326' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned
Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
Scan process 'RAMASST.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TOSCDSPD.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'TvsTray.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'ZoomingHook.exe' - '1' Module(s) have been scanned
Scan process 'PadExe.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'CeEKey.exe' - '1' Module(s) have been scanned
Scan process 'TCtrlIOHook.exe' - '1' Module(s) have been scanned
Scan process 'FnKeyHook.exe' - '1' Module(s) have been scanned
Scan process 'TPTray.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'agrsmmsg.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'swupdtmr.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'DVDRAMSV.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'brss01a.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
54 processes with 54 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '71' files ).


Starting the file scan:

Begin scan in 'C:\' <SQ003633>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java-34c67dc3-7afac779.zip
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GC Java virus
--> Baaaaa.class
[DETECTION] Is the TR/Java.ClassLoader.AP.1 Trojan
--> BaaaaBaa.class
[DETECTION] Is the TR/Java.Downloader.Gen Trojan
--> Dex.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GC Java virus
--> Dix.class
[DETECTION] Is the TR/Agent.PH Trojan
--> Dvnny.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.Bytverify.4 Java virus
--> VaaaaaaaBaa.class
[DETECTION] Is the TR/Java.ClassLoader.AP Trojan
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-7c536992-7c331304.zip
[0] Archive type: ZIP
--> Java2SE.class
[DETECTION] Is the TR/Dldr.Java.OpenConnection.AR Trojan
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-354343b2.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-27fcf894.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.40 exploit
C:\Qoobox\Quarantine\C\U.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\dwltqnmx.exe.vir
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\Qoobox\Quarantine\C\WINDOWS\fkdnrwsv.dll.vir
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\Qoobox\Quarantine\C\WINDOWS\sxfnewqb.dll.vir
[DETECTION] Contains recognition pattern of the ADSPY/Agent.PB adware or spyware
C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir
[DETECTION] Is the TR/BHO.9216 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACdupfuiqhtprnrwi.sys.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028935.dll
[DETECTION] Is the TR/BHO.9216 Trojan
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029019.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029023.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029024.dll
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029031.dll
[DETECTION] Contains recognition pattern of the ADSPY/Agent.PB adware or spyware
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP475\A0029252.sys
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\pbritalj.dll
[DETECTION] Is the TR/Vundo.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java-34c67dc3-7afac779.zip
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.GC Java virus
[NOTE] The file was moved to '4a88ff89.qua'!
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-7c536992-7c331304.zip
[NOTE] The file was moved to '4fd6e342.qua'!
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-354343b2.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '4a7fff9e.qua'!
C:\Documents and Settings\customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-27fcf894.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '4a7fff9f.qua'!
C:\Qoobox\Quarantine\C\U.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a77ff57.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\dwltqnmx.exe.vir
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4a7effa0.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\fkdnrwsv.dll.vir
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4a76ff94.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\sxfnewqb.dll.vir
[DETECTION] Contains recognition pattern of the ADSPY/Agent.PB adware or spyware
[NOTE] The file was moved to '4a78ffa1.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir
[DETECTION] Is the TR/BHO.9216 Trojan
[NOTE] The file was moved to '4a7aff8e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACdupfuiqhtprnrwi.sys.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a55ff6a.qua'!
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028935.dll
[DETECTION] Is the TR/BHO.9216 Trojan
[NOTE] The file was moved to '4a42ff59.qua'!
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029019.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4983fa22.qua'!
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029023.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4f23cb7a.qua'!
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029024.dll
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4f21bcea.qua'!
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0029031.dll
[DETECTION] Contains recognition pattern of the ADSPY/Agent.PB adware or spyware
[NOTE] The file was moved to '4f26b422.qua'!
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP475\A0029252.sys
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4f27ac1a.qua'!
C:\WINDOWS\system32\pbritalj.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a84ff8b.qua'!


End of the scan: Tuesday, May 19, 2009 14:49
Used time: 26:28 Minute(s)

The scan has been done completely.

4945 Scanned directories
274496 Files were scanned
20 Viruses and/or unwanted programs were found
5 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
17 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
274469 Files not concerned
6818 Archives were scanned
2 Warnings
19 Notes
39326 Objects were scanned with rootkit scan
0 Hidden objects were found

[tetonbob]

Looks good. A few more steps, to help ensure nothing is lurking.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants. This scan will take a while, it's very thorough.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

Post new logs from DDS also, and let me know how the machine is behaving, please.

[p4tech]

Computer is running great, internet connection is faster. I am running Kaspersky step, which looks like it will take a few hours. Thanks

[tetonbob]

Thanks for letting me know. I'll look for the logs later. Yes, Kaspersky can take a while, upwards of an hour is not unusual, sometimes longer depending on the size of the disk(s) being scanned. Be sure no other applications are running, and your resident AV is disabled during the course of the scan.

[p4tech]

Yes, definitions took about 45mins to download also.

log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, May 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 19, 2009 20:32:57
Records in database: 2198945
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 60417
Threat name: 4
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:00:26


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACjixjrvjoewsrnti.sys.vir Infected: Trojan.Win32.Agent.chly 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACetxulhjjiyiuheq.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChlgfldkackkwqdh.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClwgwvollthqjmpm.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqhipxmpfaiqjwcp.dll.vir Infected: Trojan.Win32.TDSS.acbv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrqpqekbiroyfvem.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028919.sys Infected: Trojan.Win32.Agent.chly 1
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028920.dll Infected: Trojan.Win32.TDSS.acbv 1
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028921.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028922.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028923.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0028924.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP476\A0029317.dll Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

[tetonbob]

With infections being as they are today, it's best to get as much confirmation as we can, though I know it takes a long time for that final scan. The good news is...

The items Kaspersky found are in ComboFix quarantine or System Restore points, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[p4tech]

Thanks for all your help and I will follow your advice... thanks again.