Browser Search Hijack, Explorer and FF

[desertdrifter]

I get redirected when performing searches in Explorer and Firefox both.
Links on search results appear legit, get redirected when choosing a result. I scanned everything with everything and cleaned all I could to no avail. Also can not start up in safe mode.

Extreme thanks in advance for the work I have already read about on your threads here. Hope I am starting off right.

This is Media Center Edition 05.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Compaq_Administrator at 19:22:05.90 on Mon 10/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.286 [GMT -8:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\A-SQUARED FREE\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch = hxxp://search.msn.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\05fhhf94.default\
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-6-6 30560]
S4 Indsrter;Indsrter;c:\windows\system32\drivers\tcpip6.sys [2004-8-10 223616]

=============== Created Last 30 ================

2009-10-27 02:45:45 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-27 02:45:29 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 02:45:29 0 d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2009-10-27 02:44:35 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-27 01:12:59 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-27 01:12:59 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-27 01:11:40 0 d-----w- c:\program files\Kaspersky Lab
2009-10-27 01:11:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-10-27 01:03:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-10-26 19:54:51 0 d-----w- c:\docume~1\compaq~1\applic~1\LockTime
2009-10-24 23:08:25 0 d-----w- c:\docume~1\compaq~1\applic~1\GlarySoft
2009-10-24 23:07:17 0 d-----w- c:\program files\Glary Utilities
2009-10-21 04:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-15 05:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-11 17:25:59 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-10-11 17:25:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-11 15:51:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-03 03:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys

==================== Find3M ====================

2009-09-14 22:42:46 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-10 03:01:40 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-01 23:29:50 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-29 02:42:52 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2002-05-28 16:19:26 61440 ----a-w- c:\windows\inf\i386\onetUSD.dll
2002-05-20 16:22:08 36864 ----a-w- c:\windows\inf\i386\Vizmicro.dll
2002-05-20 16:20:36 172032 ----a-w- c:\windows\inf\i386\viceo.dll
2002-05-20 16:02:46 225280 ----a-w- c:\windows\inf\i386\rtscan.dll
2001-08-04 02:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys
2007-05-14 23:26:28 1481475 --sh--w- c:\windows\system32\onnmp.bak1
2007-05-22 22:45:01 1526732 --sh--w- c:\windows\system32\onnmp.bak2

============= FINISH: 19:24:15.25 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click Advanced mode if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• If TeaTimer gives you a warning that changes were made, click the Allow Change box when prompted.
• In the File menu click Exit to exit Spybot Search & Destroy.

------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

[desertdrifter]

Thank-you chemist for your help.

Here is the combofix log as requested.

ComboFix 09-10-28.08 - Compaq_Administrator 10/30/2009 8:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.573 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Administrator\err.log
c:\documents and settings\Compaq_Administrator\My Documents\tsdvd.reg
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\temp\17o7
c:\temp\17o7\tmpTF.log
c:\temp\tn3
c:\windows\system32\drivers\core.cache(2).dsk
c:\windows\system32\drivers\core.cache(3).dsk
c:\windows\system32\drivers\core.cache(4).dsk
c:\windows\system32\drivers\core.cache(5).dsk
c:\windows\system32\onnmp.bak1
c:\windows\system32\onnmp.bak2
c:\windows\system32\ps2.bat
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-30 06:39 . 2009-10-30 06:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-27 02:45 . 2009-10-27 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-27 02:45 . 2009-10-27 02:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 02:45 . 2009-10-27 02:45 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2009-10-27 02:44 . 2009-10-27 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 01:12 . 2009-10-27 01:12 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-27 01:12 . 2009-10-27 01:12 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-27 01:11 . 2009-10-30 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-27 01:11 . 2009-10-27 01:11 -------- d-----w- c:\program files\Kaspersky Lab
2009-10-27 01:03 . 2009-10-27 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-26 19:54 . 2009-10-26 19:54 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\LockTime
2009-10-25 15:42 . 2009-10-25 15:42 0 ----a-w- c:\windows\nsreg.dat
2009-10-24 23:08 . 2009-10-26 19:20 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GlarySoft
2009-10-24 23:07 . 2009-10-24 23:07 -------- d-----w- c:\program files\Glary Utilities
2009-10-21 04:34 . 2009-10-21 04:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-15 05:18 . 2009-10-15 05:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-11 17:25 . 2009-10-11 17:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2009-10-11 17:25 . 2009-10-11 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-11 15:51 . 2009-10-11 15:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-03 03:39 . 2009-10-03 03:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 00:45 . 2005-11-11 20:51 -------- d-----w- c:\program files\EnglishOtto
2009-10-26 19:41 . 2005-11-11 21:28 -------- d---a-w- c:\program files\TurboTax Online
2009-10-26 19:34 . 2005-11-11 21:16 -------- d-----w- c:\program files\Common Files\Real
2009-10-26 19:33 . 2008-05-16 20:13 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Netscape
2009-10-26 19:19 . 2007-05-25 01:03 -------- d-----w- c:\program files\a-squared Free
2009-10-26 19:15 . 2008-06-13 14:34 -------- d-----w- c:\program files\Flock
2009-10-26 19:15 . 2008-06-13 14:35 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Flock
2009-10-26 19:14 . 2005-11-11 21:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-26 19:13 . 2007-05-24 22:02 -------- d-----w- c:\program files\Seagate
2009-10-26 19:05 . 2009-05-22 17:46 -------- d-----w- c:\program files\Nsasoft
2009-10-26 19:02 . 2008-12-11 04:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-25 15:04 . 2007-05-23 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 15:03 . 2007-05-23 00:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-14 22:42 . 2009-09-14 22:42 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-13 03:03 . 2009-09-12 23:51 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
2009-09-13 03:03 . 2009-09-12 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 23:51 . 2009-09-12 23:50 -------- d-----w- c:\program files\iTunes
2009-09-12 23:51 . 2009-09-12 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 23:50 . 2009-09-12 23:50 -------- d-----w- c:\program files\iPod
2009-09-12 23:50 . 2009-09-12 23:48 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 23:50 . 2009-09-12 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 23:50 . 2009-09-12 23:50 -------- d-----w- c:\program files\Bonjour
2009-09-12 23:50 . 2009-09-12 23:49 -------- d-----w- c:\program files\QuickTime
2009-09-12 23:49 . 2009-09-12 23:49 -------- d-----w- c:\program files\Apple Software Update
2009-09-10 03:01 . 2009-09-10 03:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-01 23:29 . 2009-09-01 23:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-29 02:42 . 2009-09-12 23:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42 . 2009-09-12 23:49 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-10-15 43008]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2002-05-28 86016]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\HP\HP Software Update\HPwuSchd2.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DISCover"=c:\program files\DISC\DISCover.exe
"BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\NAVBrowser.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24645:TCP"= 24645:TCP:PORT_24645
"9504:TCP"= 9504:TCP:PORT_9504
"11817:TCP"= 11817:TCP:PORT_11817
"60601:TCP"= 60601:TCP:PORT_60601
"19598:TCP"= 19598:TCP:PORT_19598
"53945:TCP"= 53945:TCP:PORT_53945
"29500:TCP"= 29500:TCP:PORT_29500
"17697:TCP"= 17697:TCP:PORT_17697
"22468:TCP"= 22468:TCP:PORT_22468
"57805:TCP"= 57805:TCP:PORT_57805
"53398:TCP"= 53398:TCP:PORT_53398
"7332:TCP"= 7332:TCP:PORT_7332
"53575:TCP"= 53575:TCP:PORT_53575
"53629:TCP"= 53629:TCP:PORT_53629
"17436:TCP"= 17436:TCP:PORT_17436
"59661:TCP"= 59661:TCP:PORT_59661
"10575:TCP"= 10575:TCP:PORT_10575
"21717:TCP"= 21717:TCP:PORT_21717
"64028:TCP"= 64028:TCP:PORT_64028
"31935:TCP"= 31935:TCP:PORT_31935
"45044:TCP"= 45044:TCP:PORT_45044
"7941:TCP"= 7941:TCP:PORT_7941
"54445:TCP"= 54445:TCP:PORT_54445
"33528:TCP"= 33528:TCP:PORT_33528
"11137:TCP"= 11137:TCP:PORT_11137
"24557:TCP"= 24557:TCP:PORT_24557

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 3:42 PM 156968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [6/6/2009 12:47 PM 30560]
S4 Indsrter;Indsrter;c:\windows\system32\drivers\tcpip6.sys [8/10/2004 4:00 AM 223616]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-30 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-10-24 02:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\05fhhf94.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 09:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(320)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\A-SQUARED FREE\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\hp\KBD\KBD.EXE
.
**************************************************************************
.
Completion time: 2009-10-30 9:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 17:12

Pre-Run: 160,977,780,736 bytes free
Post-Run: 161,046,679,552 bytes free

- - End Of File - - 234B423504AEF744846BE49E02409ADD

[chemist]

Hello again, desertdrifter. Are you aware of all those open ports? Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 16 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
• Click the Download button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
• Click Continue The page will refresh.
• Click on the link to download Windows Offline Installation and Save the file to your Desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
• Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

• After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u16-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here to run an online scannner from ESET and Save the file to your Desktop.

• If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
• Turn off the real-time scanner of any existing antivirus program while performing the online scan.
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the ActiveX control to install.
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Next to 'Current scan targets: Operating memory, Local drives, click the Change.. button.
• Tick all the boxes that correspond to your external/inserted drives.
• Click Scan
• Wait for the scan to finish.
• Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Copy/paste that log as a reply to this topic and also let me know how things are now.

------------------------------------------------------

If you have trouble with your computer blocking the ActiveX, go here and temporarily turn the feature off:

http://www.windowsreference.com/inte...the-publisher/

Remember to turn it back on after the scan!

------------------------------------------------------

Please post the following in your next reply:

ESET report
report on system behavior

[desertdrifter]

Hello chemist,
Sorry for the delay.

I became aware of Java being outdated but wasn't sure about upgrading with a virus. As to the open ports. I disconnected from the internet and decided to turn off windows firewall too while the scan ran. I turned it back on before I reconnected. Could that be why the ports showed open? I did some searches and had no issues with redirects with the short tryout I gave it. So I am happy for that to be done with.

Anyway I performed the next set of tasks you gave me and here is the result of the scan.

Thank you again for your time.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=fa31b176b6c6c740914c191458d43a1d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-31 02:15:25
# local_time=2009-10-30 06:15:25 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 16957471 16957471 0 0
# compatibility_mode=1280 16777191 100 0 0 0 0 0
# compatibility_mode=5892 16776574 0 20 76145985 96768489 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=101056
# found=3
# cleaned=0
# scan_time=3982
C:\Qoobox\Quarantine\C\WINDOWS\system32\onnmp.bak1.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\onnmp.bak2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.OF virus 00000000000000000000000000000000 I

[chemist]

Hello again, desertdrifter. QooBox is ComboFix's quarantine folder. Those will get deleted when we uninstall ComboFix.

Those open ports aren't due to disabling Windows Firewall. Are you able to access Safe Mode now?

I see you already have MBAM on your machine.

• Launch Malwarebytes' Anti-Malware
• Under the Update tab, click Check for Updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy/Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

------------------------------------------------------

[desertdrifter]

Hello again chemist,

I am able to use "Safe Mode" now. I didn't catch the "quick scan" instruction so I did a full scan and did it in safe mode. I also downloaded "active ports" from CNET and have that log if you'd like to review it. I don't believe there is anything going on there, but that's kinda how I ended up here.

Here is the log from MBAM.

Malwarebytes' Anti-Malware 1.41
Database version: 3065
Windows 5.1.2600 Service Pack 2 (Safe Mode)

10/31/2009 6:46:32 AM
mbam-log-2009-10-31 (06-46-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 215893
Time elapsed: 1 hour(s), 54 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[chemist]

Yes, I would like to see that report, please.

[desertdrifter]

chemist,
Here is the log. It doesn't translate to txt well though, but it should give you an idea. I chose to attach it.

Thanks.

[chemist]

Hello again, desertdrifter. None of those ports in your log appear to be active. If you want to close them, let me know. Otherwise, your logs appear clean. Let me know, and I will give you some final instructions.

------------------------------------------------------

[desertdrifter]

Hello chemist,

Yeah, I guess I can close them. Ready for next instructions.

[chemist]

Hello again, desertdrifter.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"24645:TCP"=-
"9504:TCP"=-
"11817:TCP"=-
"60601:TCP"=-
"19598:TCP"=-
"53945:TCP"=-
"29500:TCP"=-
"17697:TCP"=-
"22468:TCP"=-
"57805:TCP"=-
"53398:TCP"=-
"7332:TCP"=-
"53575:TCP"=-
"53629:TCP"=-
"17436:TCP"=-
"59661:TCP"=-
"10575:TCP"=-
"21717:TCP"=-
"64028:TCP"=-
"31935:TCP"=-
"45044:TCP"=-
"7941:TCP"=-
"54445:TCP"=-
"33528:TCP"=-
"11137:TCP"=-
"24557:TCP"=-

Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Try using your usual programs. Any issues after having closed those ports?

------------------------------------------------------

[desertdrifter]

Hi chemist,
Completed that and all seems ok. Won't be able to put it through all it's paces until later in the week.

[chemist]

Hello again, desertdrifter. If you encounter any issues, give me a PM.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable Kaspersky before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

Please re-enable TeaTimer:

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Check the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an add-on available for both Firefox and IE.
  
• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[desertdrifter]

chemist,

Thank-you so much for your assistance. I will definitely heed your final advice. I hope that anyone that reads this and chooses to use your and this forums help will take the time to donate. Especially when donating starts at mere $3.99.

Sincerely,
desertdrifter

[chemist]

You're very welcome, desertdrifter! Glad to have helped.