[SOLVED] Overclick.cn redirect issue

onthenoseplayer · 07-07-2009, 07:58 PM

Yahoo and google searches go to overclick.cn websites

Instructions followed, Thank you very much and please advise

DDS (Ver_09-06-26.01) - NTFSx86
Run by Tom Rothstein at 19:41:08.84 on Tue 07/07/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {11AE1394-4382-4DCB-B085-E1A3C8F4EC54} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [pdfFactory Pro Dispatcher v2] "c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe" /source=HKLM
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.jetsetpoker.com/setup.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {96F2228B-0D43-48AC-B857-29972C87EBA4} - hxxp://www.cpa-exam.org/AICPATutorial/install/CRItem.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5654/mcfscan.cab
Filter: text/html - {a15326e7-4506-4268-9e5e-34c5db0eba06} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
AppInit_DLLs: hpyjkm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-07-02 10:54 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-30 14:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-30 14:35 <DIR> --d----- c:\docume~1\tomrot~1\applic~1\SUPERAntiSpyware.com
2009-06-22 23:54 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-22 23:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-22 23:19 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 23:19 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 23:19 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-22 23:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-22 23:18 <DIR> --d----- c:\program files\AVG
2009-06-22 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-22 21:41 <DIR> --d----- c:\windows\McAfee.com

==================== Find3M ====================

2009-07-06 16:25 63,192 a------- c:\docume~1\tomrot~1\applic~1\GDIPFONTCACHEV1.DAT
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 18:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121220081213\index.dat

============= FINISH: 19:44:43.29 ===============

**amateur** · 07-08-2009, 06:01 AM

Hello and welcome to TSF.

Please note that the fix may require more than one round to properly eradicate. Stay with me until you're given the "all clear", even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions in the order they are presented, and please do no self-fixing or running of scanners unless requested by me or another helper at this forum.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

==========================

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

============================

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
How to disable AVG

Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.

* Click on Tools.
* Select Advanced Settings.
* In the left hand pane, scroll down to "Resident Shield".
* In the main pane, deselect the option to "Enable Resident Shield."
* To re-enable AVG 8, please select "Enable Resident Shield" again.

How to disable SuperAntiSpyware:
- Open SUPERAntiSpyware
- Click on Preferences
- Click on the Hi-Jack Protection tab
- Under Home Page Protection, uncheck "Protect Home Page from being changed. Changes can only be made here."
- Click on Close.
- Close SUPERAntiSpyware
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done it.

onthenoseplayer · 07-08-2009, 12:14 PM

Combofix Log, per request, thank you very much for the help, appreciate it greatly

ComboFix 09-07-08.01 - Tom Rothstein 07/08/2009 12:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.190 [GMT -5:00]
Running from: c:\documents and settings\Tom Rothstein\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-262244566-2815828175-226779046-500
c:\windows\Installer\11674790.msi
c:\windows\Installer\11674796.msi
c:\windows\Installer\119c4.msi
c:\windows\Installer\79bdf72.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\SKYNETwlfwvrlt.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SKYNETccraliia.dat
c:\windows\system32\SKYNEThsxdfvtr.dat
c:\windows\system32\SKYNETososjsnt.dll
c:\windows\system32\SKYNETquahcwli.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETgvbatsvw
-------\Legacy_NPF
-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-05 15:48 . 2009-06-23 04:19 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-05 15:48 . 2009-06-23 04:18 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-05 15:48 . 2009-06-23 04:18 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-05 15:48 . 2009-06-23 04:19 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-05 15:48 . 2009-06-23 04:18 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-05 15:48 . 2009-06-23 04:18 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-05 15:48 . 2009-07-05 15:47 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-05 15:47 . 2009-06-23 04:18 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-05 15:47 . 2009-06-23 04:18 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-02 15:56 . 2009-07-08 17:54 117760 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 15:54 . 2009-07-02 15:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 13:30 . 2009-07-05 15:47 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-30 20:41 . 2009-06-30 20:41 152576 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com
2009-06-23 07:19 . 2009-06-23 07:19 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-06-23 04:54 . 2009-07-07 15:02 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-23 04:23 . 2009-06-14 21:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-23 04:19 . 2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-23 04:19 . 2009-06-23 04:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-23 04:19 . 2009-07-05 15:47 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-23 04:19 . 2009-06-23 04:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-23 04:19 . 2009-07-08 17:18 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-23 04:19 . 2009-06-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\program files\AVG
2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-23 02:46 . 2009-06-23 02:46 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-06-23 02:46 . 2009-06-23 02:46 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-06-23 02:46 . 2009-06-23 02:46 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-06-23 02:41 . 2009-06-23 02:41 -------- d-----w- c:\windows\McAfee.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 01:33 . 2004-09-28 02:02 63192 ----a-w- c:\documents and settings\Tom Rothstein\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-30 20:42 . 2004-05-11 20:35 -------- d-----w- c:\program files\Java
2009-06-30 15:41 . 2009-01-19 23:50 -------- d-----w- c:\program files\Common Files\Intuit
2009-06-24 22:47 . 2009-01-20 00:42 4425 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-06-23 04:11 . 2008-07-02 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-22 22:45 . 2009-01-19 23:31 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\Download Manager
2009-06-21 15:13 . 2008-11-23 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 15:12 . 2008-12-13 23:32 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 16:27 . 2008-11-23 04:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2008-11-23 04:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 16:33 . 2008-11-10 04:09 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2004-03-25 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-10-07 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-01-05 466944]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 23:49 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 11:19 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 11:19 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [5/11/2004 4:03 PM 5760]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 11:18 PM 298776]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [5/11/2004 4:03 PM 126976]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/23/2004 11:39 AM 20160]
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-07-08 c:\windows\Tasks\User_Feed_Synchronization-{DC8D99CC-1EFC-428C-9120-6510801C45FB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{11AE1394-4382-4DCB-B085-E1A3C8F4EC54} - (no file)
Notify-dimsntfy - (no file)

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 12:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3856)
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RegSrvc.exe
c:\toshiba\Ivp\Swupdate\swupdtmr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\TME3\TMEEJME.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\1XConfig.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-08 13:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 18:08

Pre-Run: 14,379,532,288 bytes free
Post-Run: 14,422,126,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

207 --- E O F --- 2008-08-15 22:26

**amateur** · 07-08-2009, 01:24 PM

Hi,

Looks good but we still have some things to do. How is the computer behaving now?

LimeWire
LimeWire 4.8.1

These are p2p file sharing programs installed on your system. This practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it via Add or Remove Programs in Control Panel as suggested in our
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

Quote:

p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link

=====================

Adobe Reader 7.0.8

Your Adobe Reader is out of date. You may want to uninstall it and download the latest version, Adobe® Reader® 9.1.

====================

Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop
Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

DDS::
uInternet Connection Wizard,ShellNext = iexplore

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

============================

Let's search for any remnants with an online scan. Kaspersky is a good one. Establish an internet connection with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

===========================

Please post back the Kaspersky results along with the Combofix.txt as well as the feed back on the system behavior.

onthenoseplayer · 07-08-2009, 02:20 PM

2nd Combofix log, running Kaspersky right now

ComboFix 09-07-08.01 - Tom Rothstein 07/08/2009 15:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.263 [GMT -5:00]
Running from: c:\documents and settings\Tom Rothstein\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom Rothstein\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-08 18:00 . 2009-07-08 18:00 -------- d-----w- c:\windows\LastGood
2009-07-05 15:48 . 2009-06-23 04:19 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-05 15:48 . 2009-06-23 04:18 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-05 15:48 . 2009-06-23 04:18 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-05 15:48 . 2009-06-23 04:19 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-05 15:48 . 2009-06-23 04:18 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-05 15:48 . 2009-06-23 04:18 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-05 15:48 . 2009-07-05 15:47 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-05 15:47 . 2009-06-23 04:18 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-05 15:47 . 2009-06-23 04:18 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-02 15:56 . 2009-07-08 17:54 117760 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 15:54 . 2009-07-02 15:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 13:30 . 2009-07-05 15:47 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-30 20:41 . 2009-06-30 20:41 152576 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com
2009-06-23 07:19 . 2009-06-23 07:19 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-06-23 04:54 . 2009-07-07 15:02 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-23 04:23 . 2009-06-14 21:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-23 04:19 . 2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-23 04:19 . 2009-06-23 04:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-23 04:19 . 2009-07-05 15:47 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-23 04:19 . 2009-06-23 04:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-23 04:19 . 2009-07-08 17:18 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-23 04:19 . 2009-06-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\program files\AVG
2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-23 02:46 . 2009-06-23 02:46 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-06-23 02:46 . 2009-06-23 02:46 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-06-23 02:46 . 2009-06-23 02:46 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-06-23 02:41 . 2009-06-23 02:41 -------- d-----w- c:\windows\McAfee.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 01:33 . 2004-09-28 02:02 63192 ----a-w- c:\documents and settings\Tom Rothstein\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-30 20:42 . 2004-05-11 20:35 -------- d-----w- c:\program files\Java
2009-06-30 15:41 . 2009-01-19 23:50 -------- d-----w- c:\program files\Common Files\Intuit
2009-06-24 22:47 . 2009-01-20 00:42 4425 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-06-23 04:11 . 2008-07-02 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-22 22:45 . 2009-01-19 23:31 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\Download Manager
2009-06-21 15:13 . 2008-11-23 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 15:12 . 2008-12-13 23:32 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 16:27 . 2008-11-23 04:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2008-11-23 04:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 16:33 . 2008-11-10 04:09 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-08_17.53.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-03 06:02 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2008-02-03 06:02 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2004-05-11 17:24 . 2009-04-22 01:40 68504 c:\windows\system32\perfc009.dat
+ 2004-05-11 17:24 . 2009-07-08 17:59 68504 c:\windows\system32\perfc009.dat
+ 2009-07-08 18:06 . 2008-07-08 13:02 17272 c:\windows\$NtUninstallKB956802$\spmsg.dll
+ 2009-07-08 18:06 . 2008-07-08 13:02 26488 c:\windows\$NtUninstallKB956802$\spcustom.dll
- 2004-05-11 17:24 . 2009-04-22 01:40 417300 c:\windows\system32\perfh009.dat
+ 2004-05-11 17:24 . 2009-07-08 17:59 417300 c:\windows\system32\perfh009.dat
+ 2008-10-23 12:36 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
+ 2009-07-08 18:06 . 2008-07-09 07:38 382840 c:\windows\$NtUninstallKB956802$\updspapi.dll
+ 2009-07-08 18:06 . 2008-07-09 07:38 755576 c:\windows\$NtUninstallKB956802$\update.exe
+ 2009-07-08 18:06 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB956802$\spuninst.exe
+ 2008-12-10 15:37 . 2008-02-20 06:51 282624 c:\windows\$NtUninstallKB956802$\gdi32.dll
+ 2008-12-13 00:04 . 2008-10-23 12:36 286720 c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:51 . 2008-10-23 12:51 284160 c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2004-03-25 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-10-07 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-01-05 466944]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 23:49 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 11:19 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 11:19 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [5/11/2004 4:03 PM 5760]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 11:18 PM 298776]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [5/11/2004 4:03 PM 126976]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/23/2004 11:39 AM 20160]
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-07-08 c:\windows\Tasks\User_Feed_Synchronization-{DC8D99CC-1EFC-428C-9120-6510801C45FB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(2348)
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-08 15:16
ComboFix-quarantined-files.txt 2009-07-08 20:15
ComboFix2.txt 2009-07-08 18:09

Pre-Run: 14,426,116,096 bytes free
Post-Run: 14,424,113,152 bytes free

166 --- E O F --- 2008-08-15 22:26

onthenoseplayer · 07-08-2009, 04:53 PM

Both reports posted. I haven't noticed a difference in the system because I haven't tried to search something on Yahoo yet, waiting on your command. I have 6 infected, please advise

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 08, 2009 21:40:31
Records in database: 2445441
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 49440
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:02:58

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETwlfwvrlt.sys.vir Infected: Rootkit.Win32.TDSS.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETososjsnt.dll.vir Infected: Trojan.Win32.Monder.cpxu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETquahcwli.dll.vir Infected: Trojan.Win32.Small.cad 1
C:\System Volume Information\_restore{17C2EA92-9D3E-43AC-8D73-E51ADE87937C}\RP0\A0000001.sys Infected: Rootkit.Win32.TDSS.q 1
C:\System Volume Information\_restore{17C2EA92-9D3E-43AC-8D73-E51ADE87937C}\RP0\A0000002.dll Infected: Trojan.Win32.Monder.cpxu 1
C:\System Volume Information\_restore{17C2EA92-9D3E-43AC-8D73-E51ADE87937C}\RP0\A0000003.dll Infected: Trojan.Win32.Small.cad 1

The selected area was scanned.

**amateur** · 07-08-2009, 04:57 PM

Hi,

The result is good. The infected items cannot harm you from where they are, i.e. System Restore cache and the quarantine folder of Combofix. And, they will be cleared with the final steps when you let me know if everything is OK.

Please try searching and let me know.

onthenoseplayer · 07-08-2009, 08:23 PM

Quote:

Originally Posted by amateur

Hi,

The result is good. The infected items cannot harm you from where they are, i.e. System Restore cache and the quarantine folder of Combofix. And, they will be cleared with the final steps when you let me know if everything is OK.

Please try searching and let me know.

Searching is all good as of now, I checked a couple different things and no redirect. Thank you VERY much for helping me out, you people here are amazing

**amateur** · 07-08-2009, 08:38 PM

That's great. You can go ahead and delete GMER from your desktop, if you haven't already.

Click Start then Run
Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!

onthenoseplayer · 07-09-2009, 07:07 AM

all good, thanks for all your help, appreciate it greatly

**amateur** · 07-09-2009, 07:10 AM

You're very welcome. Glad to have been able to help. Stay safe!

07-08-2009, 06:01 AM	#2 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,461 OS: XP SP3	Re: Overclick.cn redirect issue Hello and welcome to TSF. Please note that the fix may require more than one round to properly eradicate. Stay with me until you're given the "all clear", even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions in the order they are presented, and please do no self-fixing or running of scanners unless requested by me or another helper at this forum. Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed. ========================== One or more of the identified infections is a backdoor trojan. This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud? ============================ Please download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools How to disable AVG Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar. * Click on Tools. * Select Advanced Settings. * In the left hand pane, scroll down to "Resident Shield". * In the main pane, deselect the option to "Enable Resident Shield." * To re-enable AVG 8, please select "Enable Resident Shield" again. How to disable SuperAntiSpyware: Open SUPERAntiSpyware Click on Preferences Click on the Hi-Jack Protection tab Under Home Page Protection, uncheck "Protect Home Page from being changed. Changes can only be made here." Click on Close. Close SUPERAntiSpyware Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. # Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done it. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE** since 2006

07-08-2009, 12:14 PM	#3 (permalink)
onthenoseplayer Registered User Join Date: Jul 2009 Posts: 6 OS: XP	Re: Overclick.cn redirect issue Combofix Log, per request, thank you very much for the help, appreciate it greatly ComboFix 09-07-08.01 - Tom Rothstein 07/08/2009 12:38.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.190 [GMT -5:00] Running from: c:\documents and settings\Tom Rothstein\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Common c:\program files\WinPCap c:\program files\WinPCap\rpcapd.exe c:\recycler\S-1-5-21-262244566-2815828175-226779046-500 c:\windows\Installer\11674790.msi c:\windows\Installer\11674796.msi c:\windows\Installer\119c4.msi c:\windows\Installer\79bdf72.msi c:\windows\system32\drivers\npf.sys c:\windows\system32\drivers\SKYNETwlfwvrlt.sys c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\SKYNETccraliia.dat c:\windows\system32\SKYNEThsxdfvtr.dat c:\windows\system32\SKYNETososjsnt.dll c:\windows\system32\SKYNETquahcwli.dll c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll c:\windows\wiaserviv.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SKYNETgvbatsvw -------\Legacy_NPF -------\Service_npf ((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 ))))))))))))))))))))))))))))))) . 2009-07-05 15:48 . 2009-06-23 04:19 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys 2009-07-05 15:48 . 2009-06-23 04:18 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-07-05 15:48 . 2009-06-23 04:18 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-07-05 15:48 . 2009-06-23 04:19 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-07-05 15:48 . 2009-06-23 04:18 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll 2009-07-05 15:48 . 2009-06-23 04:18 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll 2009-07-05 15:48 . 2009-07-05 15:47 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll 2009-07-05 15:47 . 2009-06-23 04:18 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-07-05 15:47 . 2009-06-23 04:18 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-07-02 15:56 . 2009-07-08 17:54 117760 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-02 15:54 . 2009-07-02 15:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-02 13:30 . 2009-07-05 15:47 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-06-30 20:41 . 2009-06-30 20:41 152576 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com 2009-06-23 07:19 . 2009-06-23 07:19 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe 2009-06-23 04:54 . 2009-07-07 15:02 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-23 04:23 . 2009-06-14 21:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-23 04:19 . 2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-23 04:19 . 2009-06-23 04:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-06-23 04:19 . 2009-07-05 15:47 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-23 04:19 . 2009-06-23 04:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-23 04:19 . 2009-07-08 17:18 -------- d-----w- c:\windows\system32\drivers\Avg 2009-06-23 04:19 . 2009-06-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\program files\AVG 2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-23 02:46 . 2009-06-23 02:46 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe 2009-06-23 02:46 . 2009-06-23 02:46 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe 2009-06-23 02:46 . 2009-06-23 02:46 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll 2009-06-23 02:41 . 2009-06-23 02:41 -------- d-----w- c:\windows\McAfee.com . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-02 01:33 . 2004-09-28 02:02 63192 ----a-w- c:\documents and settings\Tom Rothstein\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-30 20:42 . 2004-05-11 20:35 -------- d-----w- c:\program files\Java 2009-06-30 15:41 . 2009-01-19 23:50 -------- d-----w- c:\program files\Common Files\Intuit 2009-06-24 22:47 . 2009-01-20 00:42 4425 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys 2009-06-23 04:11 . 2008-07-02 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-06-22 22:45 . 2009-01-19 23:31 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\Download Manager 2009-06-21 15:13 . 2008-11-23 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-21 15:12 . 2008-12-13 23:32 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-17 16:27 . 2008-11-23 04:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 16:27 . 2008-11-23 04:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-21 16:33 . 2008-11-10 04:09 410984 ----a-w- c:\windows\system32\deploytk.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2004-03-25 126976] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-10-07 77824] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-01-05 466944] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "TFncKy"="TFncKy.exe" [BU] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2003-12-16 23:49 110592 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk backup=c:\windows\pss\RAMASST.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 11:19 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 11:19 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [5/11/2004 4:03 PM 5760] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 11:18 PM 298776] R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [5/11/2004 4:03 PM 126976] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/23/2004 11:39 AM 20160] . Contents of the 'Scheduled Tasks' folder 2009-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34] 2009-07-08 c:\windows\Tasks\User_Feed_Synchronization-{DC8D99CC-1EFC-428C-9120-6510801C45FB}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 17:58] . - - - - ORPHANS REMOVED - - - - BHO-{11AE1394-4382-4DCB-B085-E1A3C8F4EC54} - (no file) Notify-dimsntfy - (no file) . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/http://www.yahoo.com . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-08 12:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(900) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\System32\LgNotify.dll - - - - - - - > 'explorer.exe'(3856) c:\program files\TOSHIBA\TME3\TMEEJMD.DLL c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\S24EvMon.exe c:\windows\system32\ZCfgSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Toshiba\ConfigFree\CFSvcs.exe c:\windows\system32\DVDRAMSV.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\RegSrvc.exe c:\toshiba\Ivp\Swupdate\swupdtmr.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wscntfy.exe c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe c:\program files\Toshiba\TME3\TMEEJME.exe c:\program files\AVG\AVG8\avgtray.exe c:\windows\system32\1XConfig.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-07-08 13:09 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-08 18:08 Pre-Run: 14,379,532,288 bytes free Post-Run: 14,422,126,592 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 207 --- E O F --- 2008-08-15 22:26

07-08-2009, 02:20 PM	#5 (permalink)
onthenoseplayer Registered User Join Date: Jul 2009 Posts: 6 OS: XP	Re: Overclick.cn redirect issue 2nd Combofix log, running Kaspersky right now ComboFix 09-07-08.01 - Tom Rothstein 07/08/2009 15:01.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.263 [GMT -5:00] Running from: c:\documents and settings\Tom Rothstein\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Tom Rothstein\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 ))))))))))))))))))))))))))))))) . 2009-07-08 18:00 . 2009-07-08 18:00 -------- d-----w- c:\windows\LastGood 2009-07-05 15:48 . 2009-06-23 04:19 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys 2009-07-05 15:48 . 2009-06-23 04:18 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-07-05 15:48 . 2009-06-23 04:18 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-07-05 15:48 . 2009-06-23 04:19 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-07-05 15:48 . 2009-06-23 04:18 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll 2009-07-05 15:48 . 2009-06-23 04:18 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll 2009-07-05 15:48 . 2009-07-05 15:47 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll 2009-07-05 15:47 . 2009-06-23 04:18 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-07-05 15:47 . 2009-06-23 04:18 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-07-02 15:56 . 2009-07-08 17:54 117760 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-02 15:54 . 2009-07-02 15:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-02 13:30 . 2009-07-05 15:47 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-06-30 20:41 . 2009-06-30 20:41 152576 ----a-w- c:\documents and settings\Tom Rothstein\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-30 19:35 . 2009-07-02 15:55 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\SUPERAntiSpyware.com 2009-06-23 07:19 . 2009-06-23 07:19 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe 2009-06-23 04:54 . 2009-07-07 15:02 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-23 04:23 . 2009-06-14 21:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-23 04:19 . 2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-23 04:19 . 2009-06-23 04:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-06-23 04:19 . 2009-07-05 15:47 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-23 04:19 . 2009-06-23 04:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-23 04:19 . 2009-07-08 17:18 -------- d-----w- c:\windows\system32\drivers\Avg 2009-06-23 04:19 . 2009-06-23 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\program files\AVG 2009-06-23 04:18 . 2009-06-23 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-23 02:46 . 2009-06-23 02:46 865544 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe 2009-06-23 02:46 . 2009-06-23 02:46 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe 2009-06-23 02:46 . 2009-06-23 02:46 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll 2009-06-23 02:41 . 2009-06-23 02:41 -------- d-----w- c:\windows\McAfee.com . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-02 01:33 . 2004-09-28 02:02 63192 ----a-w- c:\documents and settings\Tom Rothstein\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-30 20:42 . 2004-05-11 20:35 -------- d-----w- c:\program files\Java 2009-06-30 15:41 . 2009-01-19 23:50 -------- d-----w- c:\program files\Common Files\Intuit 2009-06-24 22:47 . 2009-01-20 00:42 4425 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys 2009-06-23 04:11 . 2008-07-02 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-06-22 22:45 . 2009-01-19 23:31 -------- d-----w- c:\documents and settings\Tom Rothstein\Application Data\Download Manager 2009-06-21 15:13 . 2008-11-23 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-21 15:12 . 2008-12-13 23:32 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-17 16:27 . 2008-11-23 04:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 16:27 . 2008-11-23 04:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-21 16:33 . 2008-11-10 04:09 410984 ----a-w- c:\windows\system32\deploytk.dll . ((((((((((((((((((((((((((((( SnapShot@2009-07-08_17.53.12 ))))))))))))))))))))))))))))))))))))))))) . - 2008-02-03 06:02 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll + 2008-02-03 06:02 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll - 2004-05-11 17:24 . 2009-04-22 01:40 68504 c:\windows\system32\perfc009.dat + 2004-05-11 17:24 . 2009-07-08 17:59 68504 c:\windows\system32\perfc009.dat + 2009-07-08 18:06 . 2008-07-08 13:02 17272 c:\windows\$NtUninstallKB956802$\spmsg.dll + 2009-07-08 18:06 . 2008-07-08 13:02 26488 c:\windows\$NtUninstallKB956802$\spcustom.dll - 2004-05-11 17:24 . 2009-04-22 01:40 417300 c:\windows\system32\perfh009.dat + 2004-05-11 17:24 . 2009-07-08 17:59 417300 c:\windows\system32\perfh009.dat + 2008-10-23 12:36 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll + 2009-07-08 18:06 . 2008-07-09 07:38 382840 c:\windows\$NtUninstallKB956802$\updspapi.dll + 2009-07-08 18:06 . 2008-07-09 07:38 755576 c:\windows\$NtUninstallKB956802$\update.exe + 2009-07-08 18:06 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB956802$\spuninst.exe + 2008-12-10 15:37 . 2008-02-20 06:51 282624 c:\windows\$NtUninstallKB956802$\gdi32.dll + 2008-12-13 00:04 . 2008-10-23 12:36 286720 c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll + 2008-10-23 12:51 . 2008-10-23 12:51 284160 c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2004-03-25 126976] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-10-07 77824] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-01-05 466944] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "TFncKy"="TFncKy.exe" [BU] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2003-12-16 23:49 110592 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-23 04:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk backup=c:\windows\pss\RAMASST.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 11:19 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 11:19 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [5/11/2004 4:03 PM 5760] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 11:18 PM 298776] R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [5/11/2004 4:03 PM 126976] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/23/2004 11:39 AM 20160] . Contents of the 'Scheduled Tasks' folder 2009-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34] 2009-07-08 c:\windows\Tasks\User_Feed_Synchronization-{DC8D99CC-1EFC-428C-9120-6510801C45FB}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 17:58] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/http://www.yahoo.com . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-08 15:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(900) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\System32\LgNotify.dll - - - - - - - > 'explorer.exe'(2348) c:\program files\TOSHIBA\TME3\TMEEJMD.DLL c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-07-08 15:16 ComboFix-quarantined-files.txt 2009-07-08 20:15 ComboFix2.txt 2009-07-08 18:09 Pre-Run: 14,426,116,096 bytes free Post-Run: 14,424,113,152 bytes free 166 --- E O F --- 2008-08-15 22:26

07-08-2009, 04:53 PM	#6 (permalink)
onthenoseplayer Registered User Join Date: Jul 2009 Posts: 6 OS: XP	Re: Overclick.cn redirect issue Both reports posted. I haven't noticed a difference in the system because I haven't tried to search something on Yahoo yet, waiting on your command. I have 6 infected, please advise -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Wednesday, July 8, 2009 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Wednesday, July 08, 2009 21:40:31 Records in database: 2445441 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 49440 Threat name: 3 Infected objects: 6 Suspicious objects: 0 Duration of the scan: 02:02:58 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETwlfwvrlt.sys.vir Infected: Rootkit.Win32.TDSS.q 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETososjsnt.dll.vir Infected: Trojan.Win32.Monder.cpxu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETquahcwli.dll.vir Infected: Trojan.Win32.Small.cad 1 C:\System Volume Information\_restore{17C2EA92-9D3E-43AC-8D73-E51ADE87937C}\RP0\A0000001.sys Infected: Rootkit.Win32.TDSS.q 1 C:\System Volume Information\_restore{17C2EA92-9D3E-43AC-8D73-E51ADE87937C}\RP0\A0000002.dll Infected: Trojan.Win32.Monder.cpxu 1 C:\System Volume Information\_restore{17C2EA92-9D3E-43AC-8D73-E51ADE87937C}\RP0\A0000003.dll Infected: Trojan.Win32.Small.cad 1 The selected area was scanned.

07-08-2009, 04:57 PM	#7 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,461 OS: XP SP3	Re: Overclick.cn redirect issue Hi, The result is good. The infected items cannot harm you from where they are, i.e. System Restore cache and the quarantine folder of Combofix. And, they will be cleared with the final steps when you let me know if everything is OK. Please try searching and let me know. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 07-08-2009 at 04:59 PM.

07-08-2009, 08:38 PM	#9 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,461 OS: XP SP3	Re: Overclick.cn redirect issue That's great. You can go ahead and delete GMER from your desktop, if you haven't already. Click Start then Run Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the / This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points. It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated. Please respond to this thread one more time so we can mark this thread as resolved. Happy Surfing and *Think Prevention! __________________ My services are free. However, you can donate to TSF* to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 07-09-2009 at 07:13 AM. Reason: typo

07-09-2009, 07:07 AM	#10 (permalink)
onthenoseplayer Registered User Join Date: Jul 2009 Posts: 6 OS: XP	Re: Overclick.cn redirect issue all good, thanks for all your help, appreciate it greatly

07-09-2009, 07:10 AM	#11 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,461 OS: XP SP3	Re: Overclick.cn redirect issue You're very welcome. Glad to have been able to help. Stay safe! __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006