Search Results Redirect Virus

[kobdog]

We have a virus that redirects you to a random website when you click one of the results returned from a Google search. It started with pop-ups stating that you have a virus, click here. Since we have AVG and Spybot S&D installed and running I was skeptical, didn’t click on them and immediately disconnected the machine from the Internet and began running scans with AVG, Malwarebytes and Spybot. After updating each with the latest updates and running them a couple of times they found and cleaned the viruses, or so I thought, only to find out that Google search results get redirected about every second or third time you click on a result. I have kept the machine off of the Internet except to update the scanning software and to test. I ran another scan today and Malwarebytes found and cleaned the TrojanDownloader virus, but Google results are still randomly redirected. Based on the information in “Before you Post” I have downloaded HJT and the log is included below.

Thanks in advance for your help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:07 AM, on 11/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {095CD655-22C4-4845-AA1D-10590EA36D1A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {497B6553-405A-47A7-9E64-2695AFBF5A48} - C:\WINDOWS\system32\byXpmlki.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - C:\WINDOWS\system32\rqRJAqoN.dll (file missing)
O2 - BHO: (no name) - {95bc13d5-1e85-4af9-a538-c9452fc9392f} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E5D5BE53-CA78-4CEE-A405-456AE551483F} - C:\WINDOWS\system32\pmnkIYQJ.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [X10MediaRemote] C:\PROGRA~1\X10MUL~1mediaremote.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [] (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [X10MediaRemote] C:\PROGRA~1\X10MUL~1mediaremote.exe (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/...iaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-ca...erSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 8546 bytes

[ken545]

Hello kobdog

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Your Operating System and your IE browser are outdated , we can fix that when we're done. Having them updated adds another layer of security.



Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

[kobdog]

ken545, thanks in advance for you help!! I followed your instructions below and the Combofix.txt and new hijackthis.log are below. I also did a quick test and I was able to go to 10 sites each from two seperate searches without being redirected.

Thanks again!!

Combofix.txt:

ComboFix 09-11-04.02 - pmaslos 11/04/2009 19:02.1.1 - NTFSx86
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\pmaslos\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\run.log
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\iklmpXyb.ini
c:\windows\wiaserviv.log

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-03 17:09 . 2009-11-03 17:09 -------- d-----w- c:\program files\Trend Micro
2009-11-03 17:06 . 2009-11-03 17:07 -------- d-----w- c:\program files\ERUNT
2009-10-28 01:48 . 2009-10-28 01:50 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-27 18:15 . 2009-11-04 06:35 -------- d-----w- C:\$AVG8.VAULT$
2009-10-27 15:06 . 2009-10-27 16:16 -------- d-----w- c:\program files\timuei
2009-10-25 23:26 . 2009-10-25 23:26 -------- d-----w- c:\documents and settings\dmasloski\Local Settings\Application Data\WinZip
2009-10-25 23:18 . 2009-10-25 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-21 13:13 . 2009-10-05 20:56 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-20 15:31 . 2009-10-20 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-20 15:31 . 2008-10-10 21:01 147456 ----a-r- c:\windows\system32\LgExport.dll
2009-10-20 15:31 . 2008-10-10 21:01 26624 ----a-r- c:\windows\system32\LGDispDrv.dll
2009-10-20 15:30 . 2009-10-20 15:30 -------- d-----w- c:\program files\LG Soft India
2009-10-17 14:37 . 2009-10-05 20:56 2023704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-07 14:28 . 2009-10-05 20:54 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 01:51 . 2005-01-21 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 01:50 . 2008-12-04 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 14:56 . 2004-04-01 02:07 33632 ----a-w- c:\documents and settings\pmaslos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 15:30 . 2004-03-25 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-20 14:20 . 2004-03-25 17:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 16:00 . 2009-09-25 16:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 15:59 . 2004-03-25 17:24 -------- d-----w- c:\program files\Java
2009-09-25 15:59 . 2009-09-25 15:59 152576 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:56 . 2004-02-06 23:05 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2005-04-02 22:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-04 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-04 12:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 20:50 . 2008-12-04 02:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-02 20:50 . 2008-12-04 02:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-02 20:50 . 2008-12-04 02:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\DLLCACHE\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2002-08-29 . BF3C8CF53C77B48206B39910B6D6CBCC . 49152 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 20:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 8:04 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2008 8:04 PM 297752]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 2:14 PM 7040]
S2 33385E2D40287F7D;33385E2D40287F7D;\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D --> c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D [?]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 9:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 9:30 AM 18432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 10:16 PM 27904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = localhost
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{095CD655-22C4-4845-AA1D-10590EA36D1A} - (no file)
BHO-{497B6553-405A-47A7-9E64-2695AFBF5A48} - c:\windows\system32\byXpmlki.dll
BHO-{95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - c:\windows\system32\rqRJAqoN.dll
BHO-{95bc13d5-1e85-4af9-a538-c9452fc9392f} - (no file)
BHO-{E5D5BE53-CA78-4CEE-A405-456AE551483F} - c:\windows\system32\pmnkIYQJ.dll
HKCU-Run-X10MediaRemote - c:\progra~1\X10MUL~1mediaremote.exe
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 19:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\33385E2D40287F7D]
"ImagePath"="\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-11-05 19:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 01:24

Pre-Run: 16,091,254,784 bytes free
Post-Run: 19,680,342,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:48 PM, on 11/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3273964339-1161688303-4009266488-1007\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/...iaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-ca...erSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 7662 bytes

[ken545]

Hi,

Not out of the woods completely yet

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::

Code:

Fcopy::
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.




You have Malwarebytes installed, open it, check for updates and run the quick scan removing all it finds. Post the log please.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :file
  c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


I need to see the following please

1. New Combofix log
2. Malwarebytes log
3. SystemLook log
4. New HJT log

[kobdog]

Ran everything as requested. Just a couple of notes:

- When ComboFix ran after dragging the CFScript.txt file onto it, an error box popped up on the screen during Stage 1 or 2 with the following message, "PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience." It then went on to ask if I wanted to tell Microsoft about this problem. Not sure if this is related, but I notice your message referenced Rootkit:: and the code had Fcopy::??

- Not sure if it makes a difference, but I ran the Malwarebytes scan before running HijackThis. Missed it, so I doubled back and ran it before running SystemLook.

Thanks again!!!

Here is the info from the logs:

ComboFix.txt:

ComboFix 09-11-04.02 - pmaslos 11/04/2009 21:42.2.1 - NTFSx86
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pmaslos\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 03:42 . 2004-08-04 06:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-11-05 03:42 . 2004-08-04 06:56 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-03 17:09 . 2009-11-03 17:09 -------- d-----w- c:\program files\Trend Micro
2009-11-03 17:06 . 2009-11-03 17:07 -------- d-----w- c:\program files\ERUNT
2009-10-28 01:48 . 2009-10-28 01:50 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-27 18:15 . 2009-11-04 06:35 -------- d-----w- C:\$AVG8.VAULT$
2009-10-27 15:06 . 2009-10-27 16:16 -------- d-----w- c:\program files\timuei
2009-10-25 23:26 . 2009-10-25 23:26 -------- d-----w- c:\documents and settings\dmasloski\Local Settings\Application Data\WinZip
2009-10-25 23:18 . 2009-10-25 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-21 13:13 . 2009-10-05 20:56 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-20 15:31 . 2009-10-20 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-20 15:31 . 2008-10-10 21:01 147456 ----a-r- c:\windows\system32\LgExport.dll
2009-10-20 15:31 . 2008-10-10 21:01 26624 ----a-r- c:\windows\system32\LGDispDrv.dll
2009-10-20 15:30 . 2009-10-20 15:30 -------- d-----w- c:\program files\LG Soft India
2009-10-17 14:37 . 2009-10-05 20:56 2023704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-07 14:28 . 2009-10-05 20:54 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 01:51 . 2005-01-21 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 01:50 . 2008-12-04 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 14:56 . 2004-04-01 02:07 33632 ----a-w- c:\documents and settings\pmaslos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 15:30 . 2004-03-25 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-20 14:20 . 2004-03-25 17:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 16:00 . 2009-09-25 16:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 15:59 . 2004-03-25 17:24 -------- d-----w- c:\program files\Java
2009-09-25 15:59 . 2009-09-25 15:59 152576 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:56 . 2004-02-06 23:05 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2005-04-02 22:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2002-08-29 11:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-04 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-04 12:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2003-09-19 17:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 20:50 . 2008-12-04 02:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-02 20:50 . 2008-12-04 02:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-02 20:50 . 2008-12-04 02:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:16 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\SYSTEM32\DLLCACHE\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-05_01.16.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 03:51 . 2009-11-05 03:51 16384 c:\windows\temp\Perflib_Perfdata_698.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 20:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 8:04 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2008 8:04 PM 297752]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 2:14 PM 7040]
S2 33385E2D40287F7D;33385E2D40287F7D;\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D --> c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D [?]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 9:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 9:30 AM 18432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 10:16 PM 27904]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = localhost
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 21:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\33385E2D40287F7D]
"ImagePath"="\??\c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-05 22:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 04:00
ComboFix2.txt 2009-11-05 01:26

Pre-Run: 19,690,999,808 bytes free
Post-Run: 19,658,665,984 bytes free

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

mbam-log-2009-11-04.txt

Malwarebytes' Anti-Malware 1.41
Database version: 3103
Windows 5.1.2600 Service Pack 2

11/4/2009 10:15:04 PM
mbam-log-2009-11-04 (22-15-04).txt

Scan type: Quick Scan
Objects scanned: 113734
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

SystemLook.txt

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:19 on 04/11/2009 by pmaslos (Administrator - Elevation successful)

========== file ==========

c:\documents and settings\pmaslos\33385E2D40287F7D\33385E2D40287F7D - Unable to find/read file.

-=End Of File=-

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:32 PM, on 11/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/...iaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-ca...erSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 7324 bytes

[ken545]

Good Morning,

Combofix removed all or part of a Rootkit, lets check to see if more of it is present.



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

[kobdog]

The results from runner gmer.exe are below.

Thanks again!

gmer.txt:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 10:08:02
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\pmaslos\LOCALS~1\Temp\pxtdypob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom@ get_atlcom Class
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CLSID
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CLSID@ {E2883E8F-472F-4fb0-9522-AC9BF37916A7}
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CurVer
Reg HKLM\SOFTWARE\Classes\Atlcom.get_atlcom\CurVer@ Atlcom.get_atlcom

---- EOF - GMER 1.0.15 ----

[ken545]

Run SystemLook again with this command

:dir
c:\documents and settings\pmaslos\33385E2D40287F7D

[kobdog]

The results from SystemLook are below.

Thanks once again!!

SystemLook.txt:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:28 on 05/11/2009 by pmaslos (Administrator - Elevation successful)

========== dir ==========

c:\documents and settings\pmaslos\33385E2D40287F7D - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

-=End Of File=-

[ken545]

Sorry, I missed your email notice that you replied.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Code:

Folder::
c:\documents and settings\pmaslos\33385E2D40287F7D

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\33385E2D40287F7D]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.