1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Deadly 66.230.188.67 virus

Discussion in 'Windows - Virus and spyware problems' started by slub77, Sep 14, 2010.

  1. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    That got rid of the Rootkit and I see No Other Ghosts that might haunt you. :)

    You're Clean!

    Have a Happy!

    2oG
     
  2. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Thats great...Thank you very much...Now I can browse/use computer happily knowing there is no scare. Thanks again for all your time and help.
     
  3. sirk

    sirk Member

    Joined:
    Oct 18, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Hi 2oldGeek,

    I have been having similar problem to funkk and slub77 and was hoping you could have a look at my scan logs.
    Sometimes I do get redirected to other sites and sometimes Ad-Aware live watch stops the IP66.230.188.67 to redirect me.
    I have tried to follow the instructions you have posted for funk but then when I scan with Superantispyware it keeps finding this one ad-ware which I regularly remove and that keeps reappearing.
    When click on links from google searches I get redirected about once every 3 times.
    Would you be so kind to help me ,if and when, you have a moment please?It's driving me insane.
    Please see below my scan logs for HiJackthis,Combofix (for some reason I am not able to see the scan log for SuperAntispyware but the item found was C:User\Kristiano\AppData\Roaming\Microsoft\Windows\Cookies\kristiano@atdmt[2].txt.
    Thank you in advance for your help and time.

    Regards

    This is the log before running Combofix

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:59:07, on 18/10/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Safe mode with network support

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Users\Kristiano\Things\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-GB;_rv:1.9.2.3)_Gecko/20100401_Firefox/3.6.3_(.NET_CLR_3.5.30729)" -"http://www.bbc.co.uk/gardening/htbg2/virtual_garden/shockwave/garden3.shtml"
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-gb/wlscctrl2.cab
    O20 - AppInit_DLLs:
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8403 bytes

    ComboFix 10-10-17.03 - Kristiano 18/10/2010 11:35:45.1.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.1015.333 [GMT 1:00]
    Running from: c:\users\Kristiano\Desktop\combofix.exe
    Command switches used :: /killall
    FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}
    c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\chrome.manifest
    c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\chrome\content\_cfg.js
    c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\chrome\content\overlay.xul
    c:\users\Kristiano\AppData\Local\{8DF802E4-094B-4079-A1A5-676272485B8B}\install.rdf

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
    .

    2010-10-18 10:44 . 2010-10-18 10:59 -------- d-----w- c:\users\Kristiano\AppData\Local\temp
    2010-10-18 10:44 . 2010-10-18 10:44 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-16 12:06 . 2010-10-16 12:06 -------- d-----w- c:\users\Kristiano\AppData\Roaming\SUPERAntiSpyware.com
    2010-10-16 12:06 . 2010-10-16 12:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-10-16 12:06 . 2010-10-16 12:06 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-10-15 06:00 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EC6BD40B-5D29-4A23-88C6-D998BA24C575}\mpengine.dll
    2010-10-14 11:21 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2010-10-14 11:21 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-10-14 11:20 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-10-14 11:19 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-10-14 11:19 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-10-14 11:19 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-10-14 11:19 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-10-14 11:19 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
    2010-10-14 11:17 . 2010-09-08 17:23 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-29 07:04 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-09-28 09:40 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-09-28 08:40 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-09-28 08:40 . 2010-09-28 08:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-09-28 08:33 . 2010-09-28 08:33 -------- d-----w- c:\users\Kristiano\AppData\Local\Sunbelt Software
    2010-09-28 08:32 . 2010-09-28 08:32 -------- dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-09-23 11:41 . 2010-09-23 11:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-09-22 17:10 . 2010-09-22 17:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-09-22 17:10 . 2010-09-22 17:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-24 39408]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-12 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-12 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-12 129560]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 159744]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-26 202256]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 135664]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-08-12 15008]
    R3 pxldqpoc;pxldqpoc;c:\users\KRISTI~1\AppData\Local\Temp\pxldqpoc.sys [x]
    R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
    S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-26 390528]
    S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-06-07 59240]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-06-07 166632]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-10-06 1357464]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-18 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 18:47]

    2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 06:08]

    2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 06:08]

    2010-10-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2068407642-2866006614-1426285444-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\users\Kristiano\AppData\Roaming\Mozilla\Firefox\Profiles\ybjau5gz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
    FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\Kristiano\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    AddRemove-Lame MP3 Codec (for the ACM) - c:\windows\IFinst26.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\windows\system32\igfxsrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-18 12:07:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-18 11:07

    Pre-Run: 33,524,584,448 bytes free
    Post-Run: 34,412,359,680 bytes free

    - - End Of File - - 7641E9673405EDFBF02329A3EEE41AEC


    This is the one after Combofix scan

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:17:05, on 18/10/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\Explorer.exe
    C:\Users\Kristiano\Things\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-GB;_rv:1.9.2.3)_Gecko/20100401_Firefox/3.6.3_(.NET_CLR_3.5.30729)" -"http://www.bbc.co.uk/gardening/htbg2/virtual_garden/shockwave/garden3.shtml"
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-gb/wlscctrl2.cab
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 9139 bytes
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi sirk,

    Both of your HJT Logs are clean and I find nothing in the Combo Log to suggest what you are experiencing, no rootkits, etc.

    Let’s give this a whirl:

    Download Malwarebytes' Anti-Malware to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    • If an update is found, it will download and install the latest version.

    • Once the program has loaded, select Perform full scan, then click Scan.

    • When the scan is complete, click OK, then Show Results to view the results.

    Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.

    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt


    • Please post the MBAM Log and a fresh HJT log in your next reply.


    2oG
     
  5. sirk

    sirk Member

    Joined:
    Oct 18, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Hi 2oG,

    Thanks for your reply

    I have run scan with mbam and didnt find anything,
    my pc seems to be working ok at moment and not getting redirected to other sites,
    had a bit of problem uninstalling Combo,later found out that the command is Combofix /uninstall,however, I use to have ad-aware which stopped working so had to uninstall it but now cannot re-install it anymore (it installs fine but gets stuck when applying updated)was wondering if it might clash with Superantispyware(free)as is the only new software I have downloaded lately or if Combofix has deleted some file that was needed for that(not a clue) .
    Would you have any idea on regard of that?
    Apart form that,maybe I was a bit overzealous and your instructions on the thread were spot on thanks for posting.
    I will let you know if problem comes back.
    In the mean time cheers and thanks for you time.
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Avira AntiVir is the Best Free AV available.. Stay with it.
    Ad-aware is Old technology that has not kept up with the times.. Let it go.
    Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using SpywareBlaster can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

    Use CCleaner to clean up Temp and old files, use Malwarebytes’ Anti-malware and SUPERAntispyware to scan your computer and then Defrag on a regular basis….

    Other than that; Keep your nose clean and Happy Surfing :)

    2oG
     
  7. Jack87

    Jack87 Member

    Joined:
    Nov 17, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    Hello,
    I am having the same issue as slub77 and funkk. I keep getting redirected to various pages when ever i click links, checking what it normally redirects to me to: 66.230.188.67 : and then to a diffrent site. I ran a full Avast! scan, full MalwareBytes scan.But links still keeps getting redirected to various pages.

    Then I followed what you suggested to funkk and I ran Combofix as you specified.
    Here is the log file combofix.txt found in the computer. Please let me know if I still need to do anything else or combofix has rectified the problem. Thanks

    ----------------------------------------------------------------------------------------
    ComboFix 10-11-16.05 - owner 17/11/2010 22:42:55.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.502.238 [GMT 11:00]
    Running from: c:\documents and settings\owner\desktop\combofix.exe
    Command switches used :: /killall
    AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\system volume information\Microsoft . . . . Failed to delete
    c:\system volume information\Microsoft\services.exe . . . . Failed to delete
    c:\system volume information\Microsoft\smss.exe . . . . Failed to delete

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive3 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive4 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive3 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive4 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
    .

    2010-11-16 20:21 . 2010-11-16 20:21 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
    2010-11-16 20:21 . 2010-04-29 04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-16 20:20 . 2010-11-16 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-16 20:20 . 2010-11-16 20:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-16 20:20 . 2010-04-29 04:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-15 21:50 . 2010-04-14 15:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-11-15 21:50 . 2010-04-14 15:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-11-15 21:50 . 2010-04-14 15:37 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2010-11-15 21:50 . 2010-04-14 15:37 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
    2010-11-15 21:50 . 2010-04-14 15:36 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
    2010-11-15 21:50 . 2010-04-14 15:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-11-15 21:50 . 2010-04-14 15:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-11-15 21:50 . 2010-04-14 15:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-11-15 21:50 . 2010-04-14 15:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-11-15 21:50 . 2010-04-14 15:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-11-15 21:49 . 2010-03-19 20:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
    2010-11-15 21:49 . 2010-04-14 15:47 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-11-15 21:49 . 2010-04-14 15:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-11-15 21:49 . 2010-11-15 21:49 -------- d-----w- c:\program files\Alwil Software
    2010-11-15 21:49 . 2010-11-15 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-11-15 19:07 . 2010-11-15 19:07 -------- d-----w- c:\program files\Safari
    2010-11-15 19:07 . 2010-11-15 19:07 -------- d-----w- c:\program files\Bonjour
    2010-11-09 14:07 . 2010-11-15 01:23 -------- d-----w- c:\windows\system32\Dexter Screen Saver dir
    2010-10-29 14:54 . 2010-10-29 14:54 657179 ----a-w- c:\windows\Condition Zero Uninstaller.exe
    2010-10-29 14:49 . 2010-10-29 14:49 -------- d-----w- C:\Valve

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-05 02:59 . 2010-06-27 10:56 16184 ----a-w- c:\windows\system32\ROBoot.exe
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
    [7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\spoolsv.exe
    [7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
    @="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
    [HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
    2010-04-14 15:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-04 149280]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 06:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 01:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
    2006-12-05 11:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 04:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2005-04-05 10:23 114688 ----a-w- c:\windows\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2006-11-23 04:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtector]
    2010-10-05 02:59 10000184 ----a-w- c:\program files\Advanced System Optimizer 3\systemprotector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Q3Ademo\\quake3.exe"=
    "c:\\Valve\\Condition Zero\\hl.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [16/11/2010 8:49 AM 12112]
    R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [16/11/2010 8:50 AM 196048]
    R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [4/12/2009 12:06 PM 30820]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/06/2010 7:03 PM 691696]
    R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [16/11/2010 8:50 AM 102736]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [16/11/2010 8:50 AM 297552]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [16/11/2010 8:50 AM 162768]
    R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [8/03/2005 7:46 PM 61440]
    R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [27/06/2010 9:40 PM 239928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [16/11/2010 8:50 AM 19024]
    R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [16/11/2010 8:49 AM 119200]
    S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [27/06/2010 9:40 PM 6656]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-17 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]

    2010-11-17 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-05-25 12:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Connection Wizard,ShellNext = hxxp://g.live.com/9uxp9en-us/hpg_lnk2
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\Start Menu\Programs\IMVU\Run IMVU.lnk
    TCP: {A75224EB-83FC-4A72-B393-E03B017EF1FE} = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\oidocpx1.default\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2010\bdagent.exe
    MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2010\IEShow.exe
    MSConfigStartUp-Google Update - c:\documents and settings\owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
    MSConfigStartUp-{835FBE3E-57D2-BDB6-FE6A-58FBB8030F06} - c:\documents and settings\owner\Application Data\Qivuid\caawh.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-17 23:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600

    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D44446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82d4a504]; MOV EAX, [0x82d4a580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x82D35908]
    3 CLASSPNP[0xF857605B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> [0x82C718D0]
    \Driver\atapi[0x82D285A0] -> IRP_MJ_CREATE -> 0x82D44446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; PUSH EAX; MOV EAX, 0x337; POP EAX; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x628; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x82D44292
    \Driver\atapi -> 0x82d861f8
    user != kernel MBR !!!
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3464)
    c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\Internet Explorer\iexplore.exe
    c:\system volume information\Microsoft\services.exe
    c:\system volume information\Microsoft\smss.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-17 23:08:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-17 12:08
    ComboFix2.txt 2010-07-04 06:40

    Pre-Run: 33,667,829,760 bytes free
    Post-Run: 33,662,070,784 bytes free

    Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - F766F5762499471F2B805E3DC5185E5E
     

Share This Page