PDA

View Full Version : Been overcome by malware. Help remove Win32.TDSS.rtk and more



Msuiter01
2009-05-05, 02:32
Well the other day i must have clicked a link by accident that gave me this lovely set of trojans and malware. a quick run of spybot returned this nice list. Win32.TDSS.rtk, FirewallBypass, Virtumonde, PWS.LDPinchIE, Smitfraud-C and Win32.Agent.

It also is making Firefox start in safe mode and made IE my default browser.

After some searching around i ran across some old posts with the same problems and i tried to follow in their footsteps but im still having problems and now Spybot S&D is still showing something bypassing microsofts security and the Win32.TDSS.rtk.

I did run malwarebytes and combofix which got rid of most. but now im stuck. please help


Logfile of HijackThis v1.99.1
Scan saved at 7:11:30 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Installation Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA7006] command /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC117] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5811] command /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5493] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2921] command /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4884] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3993] command /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5718] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Installation Files\aim\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

well aparently i have an old HJT program so here is the new HJT log from the newest HJT Sorry for the confusion

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:29 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Anti virus programs\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA7006] command /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC117] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5811] command /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5493] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2921] command /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4884] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3993] command /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5718] cmd /c del "C:\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll_old"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Installation Files\aim\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\system32\ad.html

--
End of file - 6865 bytes

Shaba
2009-05-05, 16:49
Hi Msuiter01

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Msuiter01
2009-05-06, 06:10
thanks for the reply

here is the combofix log

ComboFix 09-05-05.03 - Mustang 05/05/2009 22:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.652 [GMT -4:00]
Running from: c:\documents and settings\Mustang\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthlyputmppfwlohhxgottetjydsmlkitda.sys
c:\windows\system32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll
c:\windows\system32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll
c:\windows\system32\ovfsthqilybpliuvqfrmfhsoqkrvnieblbekpv.dll
c:\windows\system32\ovfsthqnfeurvbtwficmdmxvsitarllmepbhhl.dat
c:\windows\system32\ovfsthwrdymoqqmletxaopxedqvxodavwrrtrv.dat
c:\windows\system32\zinakumu.exe
.
---- Previous Run -------
.
c:\documents and settings\Mustang\Application Data\Sskdmns.dll
c:\documents and settings\Mustang\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\download
c:\program files\Common Files\windows
c:\program files\outlook
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\wintit.exe
c:\windows\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-04 03:19 . 2009-05-04 03:12 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-04 03:12 . 2009-05-04 03:12 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-04 03:11 . 2009-05-04 03:11 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-04 03:11 . 2009-05-04 03:11 -------- d-----w c:\program files\Lavasoft
2009-05-04 03:11 . 2009-05-04 03:12 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-02 14:36 . 2009-05-02 14:36 -------- d-----w c:\documents and settings\Mustang\Application Data\Malwarebytes
2009-05-02 14:36 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 14:36 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 14:36 . 2009-05-02 14:36 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 14:36 . 2009-05-02 14:36 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 19:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 19:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 19:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:38 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 19:38 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:38 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:38 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:38 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:38 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:38 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 01:56 . 2004-02-22 02:31 -------- d-----w c:\program files\Java
2009-03-28 21:20 . 2006-02-23 17:10 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-11 01:17 . 2009-03-11 01:17 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-03-11 01:17 . 2009-03-11 01:17 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-03-11 01:17 . 2009-03-11 01:17 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-03-09 09:19 . 2009-03-22 21:15 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-07-16 20:41 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-24 00:32 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-15 04:59 . 2008-09-24 23:47 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-09 12:10 . 2003-07-16 20:32 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-12-18 06:54 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-07-16 20:39 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-07-16 20:23 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-07-16 20:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-07-16 20:44 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2003-07-16 20:39 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-07-16 20:43 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-11-03 20:06 . 2007-11-02 04:16 24 --sh--w c:\windows\S4AB064BB.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-07-21 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-2-25 113664]
HP Digital Imaging Monitor.lnk.disabled [2007-12-7 1814]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe"
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe"
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"DwlClient"=c:\program files\Common Files\Dell\EUSW\Support.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Infogrames\\Test Drive 6\\TD6.exe"=
"c:\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Codemasters\\1NSANE\\Game.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [5/3/2009 11:12 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\SYSTEM32\DRIVERS\SCFBPNT.SYS [3/11/2004 11:33 AM 16288]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [10/3/2008 7:46 AM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [10/3/2008 7:46 AM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [10/3/2008 7:46 AM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\SYSTEM32\DRIVERS\motport.sys [10/3/2008 7:46 AM 23680]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\SYSTEM32\DRIVERS\rt2500usb.sys [3/20/2005 1:16 AM 79616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{334962ef-b0a1-11dc-a49d-000cf1a594c3}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:12]

2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
FF - ProfilePath - c:\documents and settings\Mustang\Application Data\Mozilla\Firefox\Profiles\e1erws6b.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 22:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1829414210-54272180-3068420033-1007\Software\Zepter Software\RegLib*e8563ce5\AnyDVD/1]
"1"=dword:447bac21
"2"=dword:4498899f
.
Completion time: 2009-05-06 22:58
ComboFix-quarantined-files.txt 2009-05-06 02:57

Pre-Run: 54,321,471,488 bytes free
Post-Run: 54,312,083,456 bytes free

210 --- E O F --- 2009-04-19 15:45

Shaba
2009-05-06, 07:09
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Msuiter01
2009-05-07, 05:03
wow that scan took forever. sorry for the delay. here are the logs

KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 06, 2009 20:06:02
Records in database: 2138404
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 157056
Threat name: 4
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:27:40


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\drivers\ovfsthlyputmppfwlohhxgottetjydsmlkitda.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ovfsthdylhqjroexvjklrwsykvdpwqxxnoitfw.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ovfsthojkisjxbrpuoegmisnssioiwqhjknmjj.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ovfsthqilybpliuvqfrmfhsoqkrvnieblbekpv.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1064\A0127031.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1064\A0127032.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1064\A0127033.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1064\A0127034.dll Infected: Trojan.Win32.Tdss.aald 1

The selected area was scanned.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:56 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Mustang\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Installation Files\aim\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\system32\ad.html

--
End of file - 6041 bytes

Shaba
2009-05-07, 07:17
Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

Close all windows including browser and press fix checked.

Reboot.

Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Post back a fresh HijackThis log and tell me if you have any issues left?

Msuiter01
2009-05-07, 13:33
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:00 AM, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mustang\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Installation Files\aim\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\system32\ad.html

--
End of file - 6348 bytes

Shaba
2009-05-07, 17:22
That looks good :)

Still problems?

Msuiter01
2009-05-08, 00:25
none so far. i was getting a redirect when searching google but it seems to have stopped as far as i have seen so far. ill get back asap if anything comes up. thanks so much for your time.

Msuiter01
2009-05-08, 00:55
guess i spoke too soon. i searched for a few things from my google bar on my firefox browser and it was all fine and good for a couple searches then it started redirecting me when i clicked on the links. if i clicked the same link multiple times it would send me to a few different places before it went to the correct site. this is intermittant. I downloaded prevx 3.0 little while ago and it ran a scan and found Vfind.exe as malware. would this cause such issues? thanks

Shaba
2009-05-08, 07:00
Vfind is no malware, it is part of combofix.

Let's check then this:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Double-click GooredFix.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

Msuiter01
2009-05-08, 13:23
GooredFix v1.92 by jpshortstuff
Log created at 06:23 on 08/05/2009 running Option #1 (Mustang)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{58073317-F7F4-4F93-9286-C19235D08AFA}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Shaba
2009-05-08, 14:35
Please double-click GooredFix.exe on your Desktop to run it.
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Msuiter01
2009-05-08, 15:04
GooredFix v1.92 by jpshortstuff
Log created at 08:03 on 08/05/2009 running Option #2 (Mustang)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{58073317-F7F4-4F93-9286-C19235D08AFA}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Shaba
2009-05-08, 16:53
OK, goored is deleted.

Did help any?

Msuiter01
2009-05-08, 17:54
seems to be ok now. we'll see. thanks so much for your time and help!!:bigthumb:

Shaba
2009-05-08, 17:55
OK, test a bit and let me know :)

Shaba
2009-05-10, 11:54
Msuiter01?

Shaba
2009-05-12, 07:13
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.