View Full Version : All browsers hijacked - redirecting search links
j_global
2009-11-26, 05:41
Hi,
I have gone nearly 2 years without any significant infection because I am usually pretty careful. I know the exact moment when my PC became infected and admittedly it is because I was stupid.
I have a fair amount of up front info that may help narrow down the issue. I was opening a downloaded movie (yes, file sharing) and was prompted for a codec. I have had to get codecs before so I thought no big deal, it changed from 'codec needed' to 'licensing service' in the Windows Media status as the download/install started. I went to my task bar and tried to close the setup window but it wouldn't close until after several tries of stopping the setup.exe service.
I can usually sort out bad things in the HJT log, but I am not seeing anything. Malwarebytes and Spybot each found a couple trackers and something they thought were trojans but fixing them did nothing for the problem. I also did a system restore, which is usually the failsafe but it didn't help.
It appears to affect the 3 browsers I commonly use - IE8, Firefox, and Chrome. It mainly affects search engine result links. Even links to very well known sites like my personal home page get redirected to ad lists and other oddball searches. If I do a search and right click on the link and use open in new tab, I don't appear to get redirected in IE. It also doesn't do anything if the address is typed or pasted into the address bar.
Here are a couple of the sites it redirects to:
alibaba.com
reliableheat.com
I have read the "read this first" thread. I am running XP SP3. I use BitDefender 9 for Antivirus/Firewall (paid version). I have Spybot SD w/ TeaTimer but admittedly only picked it up after this problem occurred. I also have Kaspersky but only picked up the free virus scan to see if it would find something that bitdefender missed. I don't run them together.
Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:29:37 PM, on 11/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Software_Downloads\Antivirus\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147699052265
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe" /service (file missing)
Any help is greatly appreciated. I thought I was pretty good at this stuff until now.
Sorry, I just realized my HJT was out of date:
Here's a scan with the new version ...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:28 PM, on 11/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis2\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{442E26B2-0AE9-1033-0203-060506210001}] "C:\Program Files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe" te-110-12-0000213
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: is-KKU82.lnk = Desktop\Virus Removal Tool\is-KKU82\startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147699052265
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 10594 bytes
IndiGenus
2009-11-28, 02:15
Hi j_global and welcome to the forums here at Spybot S&D.
Based on what I see (or don't see) it's most likely a rootkit. Let's get a couple more scans.
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
~~~~~~~~~~~~~~~~~~~~~~
Download This file (http://www.gmer.net/download.php). Note its name and save it to your root folder, such as C:\.
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.
j_global
2009-11-28, 16:08
Here's the DDS:
DDS (Ver_09-11-24.02) - NTFSx86
Run by Global at 9:02:03.13 on Sat 11/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.298 [GMT -5:00]
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Global\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.bing.com/
uSearch Bar =
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\global\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [CAMMON_JL2005A] c:\program files\jl2005a\cam_mon
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uExplorerRun: [{442E26B2-0AE9-1033-0203-060506210001}] "c:\program files\common files\{442e26b2-0ae9-1033-0203-060506210001}\Update.exe" te-110-12-0000213
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coolsavings.coupons.smartsource.com/download/cscmv5X.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147699052265
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\global\applic~1\mozilla\firefox\profiles\kdpyzawl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\global\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [2009-11-22 148496]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-10-17 104456]
S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [2006-4-13 19816]
S2 FILESpy;FILESpy;\??\c:\program files\softwin\bitdefender9\filespy.sys --> c:\program files\softwin\bitdefender9\filespy.sys [?]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
============== File Associations ===============
regfile="regedit.exe" "%1"
=============== Created Last 30 ================
2009-11-26 03:50:50 0 d-----w- c:\program files\HijackThis2
2009-11-26 01:11:43 0 d-----w- c:\docume~1\global\applic~1\Malwarebytes
2009-11-26 01:11:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 01:11:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 01:11:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 01:11:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 18:45:07 0 dc-h--w- c:\windows\ie8
2009-11-22 16:03:47 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 16:03:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-22 14:48:26 44435488 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-22 14:48:26 397976 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-22 14:48:01 148496 ----a-w- c:\windows\system32\drivers\39940974.sys
2009-11-18 04:49:01 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-09 13:05:39 15204352 ----a-w- c:\documents and settings\global\ntuser.bak
2009-11-06 05:50:30 0 d-----w- C:\avd
2009-11-06 05:04:13 38 ----a-w- c:\windows\AviSplitter.INI
==================== Find3M ====================
2009-11-25 08:22:58 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 04:44:07 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2008-09-05 04:25:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat
============= FINISH: 9:05:11.70 ===============
[B]Here's the attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-11-24.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/12/2006 9:46:04 PM
System Uptime: 11/25/2009 8:57:01 PM (61 hours ago)
Motherboard: Dell Inc. | | 0HJ054
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 70 GiB total, 1.633 GiB free.
D: is CDROM ()
F: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1221: 10/30/2009 10:05:54 AM - System Checkpoint
RP1222: 11/2/2009 1:07:15 AM - System Checkpoint
RP1223: 11/3/2009 1:55:34 AM - System Checkpoint
RP1224: 11/4/2009 2:10:17 AM - System Checkpoint
RP1225: 11/5/2009 12:44:31 AM - Software Distribution Service 3.0
RP1226: 11/6/2009 5:28:57 AM - System Checkpoint
RP1227: 11/7/2009 5:41:27 AM - System Checkpoint
RP1228: 11/8/2009 4:53:12 AM - System Checkpoint
RP1229: 11/8/2009 8:49:07 PM - Removed Sony Sound Forge 8.0b
RP1230: 11/8/2009 8:55:30 PM - Installed Sound Forge Pro 10.0
RP1231: 11/9/2009 8:05:52 AM - Software Distribution Service 3.0
RP1232: 11/10/2009 10:11:27 AM - System Checkpoint
RP1233: 11/11/2009 3:01:09 AM - Software Distribution Service 3.0
RP1234: 11/12/2009 4:52:43 AM - System Checkpoint
RP1235: 11/13/2009 6:11:33 AM - System Checkpoint
RP1236: 11/14/2009 7:23:32 AM - System Checkpoint
RP1237: 11/15/2009 7:47:35 AM - System Checkpoint
RP1238: 11/16/2009 8:17:14 AM - System Checkpoint
RP1239: 11/17/2009 8:52:51 AM - System Checkpoint
RP1240: 11/17/2009 11:45:09 PM - Restore Operation
RP1241: 11/18/2009 12:58:05 AM - Software Distribution Service 3.0
RP1242: 11/19/2009 1:35:18 AM - System Checkpoint
RP1243: 11/20/2009 4:35:26 AM - System Checkpoint
RP1244: 11/21/2009 4:47:51 AM - System Checkpoint
RP1245: 11/22/2009 6:59:04 AM - System Checkpoint
RP1246: 11/22/2009 12:59:31 PM - Installed Java(TM) 6 Update 17
RP1247: 11/22/2009 1:46:29 PM - Installed Windows Internet Explorer 8.
RP1248: 11/22/2009 1:48:29 PM - Software Distribution Service 3.0
RP1249: 11/22/2009 7:15:54 PM - Software Distribution Service 3.0
RP1250: 11/22/2009 8:40:36 PM - Software Distribution Service 3.0
RP1251: 11/23/2009 9:25:58 PM - System Checkpoint
RP1252: 11/24/2009 9:46:47 PM - System Checkpoint
RP1253: 11/25/2009 3:01:41 AM - Software Distribution Service 3.0
RP1254: 11/26/2009 4:40:53 AM - System Checkpoint
RP1255: 11/27/2009 5:20:46 AM - System Checkpoint
RP1256: 11/28/2009 5:55:54 AM - System Checkpoint
==== Installed Programs ======================
µTorrent
AAC Decoder
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.7 - CPSID_50029
Adobe Acrobat 8.1.7 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 3.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 7.0
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AiO_Scan_CDA
AiOSoftwareNPI
Amazon MP3 Downloader 1.0.3
Antares Auto-Tune v1.3 DX
Antares Autotune VST RTAS TDM v5.08
AOLIcon
Arturia Arp2600 V VSTi RTAS v1.6
Arturia CS-80V v1.5
Arturia Moog Modular V2 v1.0
ATI Control Panel
ATI Display Driver
AutoUpdate
BitDefender Internet Security 2009
Boardmaker version 5
BufferChm
C3100
c3100_Help
Camel Audio Cameleon 5000 v1.7 VSTi
CD - DVD Publishing Service
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
CrunchDude 0.1
db audioware mastering plugins 1.05c
Dell CinePlayer
Dell Driver Reset Tool
Dell System Restore
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocProcQFolder
DSP/FX v6.2a
Edirol HQ Orchestral v1.01
ELIcon
ERUNT 1.1j
eSupportQFolder
Fax_CDA
FL Studio 6
GDR 1406 for SQL Server Analysis Services 2005 ENU (KB932557)
GDR 1406 for SQL Server Database Services 2005 ENU (KB932557)
GDR 1406 for SQL Server Integration Services 2005 ENU (KB932557)
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
Google Chrome
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
HPSSupply
InstantShareDevicesMFC
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Ipswitch WS_FTP Professional 2006
IsoBuster 1.8
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 17
LiquidInstrumentVst 1.1
Lounge Lizard 1.0
Mastering Edition 1.5
MCU
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ASP.NET 2.0 AJAX Extensions 1.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Midisport 1x1 1.0.1.0
MKV Splitter
Mozilla Firefox (3.0.15)
MSDN Library for Visual Studio 2005
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MySQL Server 5.0
Native Instruments Absynth 3
Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
Native Instruments Guitar Rig 3
Native Instruments Reaktor 5
Nero 6 Ultra Edition
Nero Digital
NewCopy_CDA
Novation V-Station for Cubase SX3 VSTi v1.41
OCR Software by I.R.I.S 7.0
PanoStandAlone
PDF Settings
PicoZip Recovery Tool 1.02
PowerISO
ProductContextNPI
Quicken 2007
QuickTime
Readme
ReFX Beast VSTi v1.0
Rob Papen Albino 3
Rob Papen BLUE Version 1.7.0
Rob Papen Predator V1.1.0
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shop for HP Supplies
SolutionCenter
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Sony ACID Pro 6.0
Sony Media Manager 2.1
Sony Media Manager 2.2
Sound Forge Pro 10.0
Space Synthesizer 1.2
Spybot - Search & Destroy
Status
T-RackS 3 Deluxe
Toolbox
TrayApp
Uninstall JL2005A Toy Camera
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
VC80CRTRedist - 8.0.50727.762
Vokko 1.67
Waldorf.PPG.Wave2.V-OxYGeN
Waves Diamond Bundle v5.2
Waves L3 Multimaximizer v1.0
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WinZip
XML Paper Specification Shared Components Pack 1.0
XP Codec Pack
Xvid 1.1.2 final uninstall
==== Event Viewer Messages From Past Week ========
11/25/2009 5:35:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the FLEXnet Licensing Service service to connect.
11/25/2009 5:35:47 PM, error: Service Control Manager [7000] - The FLEXnet Licensing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/25/2009 5:18:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
11/25/2009 5:18:31 PM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/25/2009 5:18:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
11/25/2009 5:17:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server Integration Services service to connect.
11/25/2009 5:17:16 PM, error: Service Control Manager [7000] - The SQL Server Integration Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/25/2009 3:03:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
11/25/2009 3:03:54 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/22/2009 9:37:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdpredir
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The REGSpy service failed to start due to the following error: The system cannot find the path specified.
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The FILESpy service failed to start due to the following error: The system cannot find the path specified.
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The Emagic Audiowerk Kernel Mode Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/22/2009 9:37:30 AM, error: Service Control Manager [7000] - The BDRSDRV service failed to start due to the following error: The system cannot find the file specified.
11/22/2009 9:36:23 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/22/2009 9:36:23 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
==== End Of File ===========================
Thanks for the help. Running the other utility now ...
IndiGenus
2009-11-28, 18:08
Hi,
Per the instructions at the following post you must uninstall any and all P2P/BitTorrent/File Sharing Software prior to getting help here.
http://forums.spybot.info/showpost.php?p=218503&postcount=4
Please do so, then run DDS again and post the log.
j_global
2009-11-28, 22:35
Hi IndieGenus,
I had uTorrent installed but as per the instructions, uninstalled it prior to starting the thread here. Are you seeing some other software? Or is there a file left over from uTorrent that is causing problems? Let me know and I'll take care of it.
I have attached the results.log from the run of the other utility. I had to zip it up to meet the zise requirements.
Regards,
Jonathan
IndiGenus
2009-11-29, 16:06
Hi IndieGenus,
I had uTorrent installed but as per the instructions, uninstalled it prior to starting the thread here. Are you seeing some other software? Or is there a file left over from uTorrent that is causing problems? Let me know and I'll take care of it.
uTorrent still was showing in the list of programs from DDS, but if you uninstalled it then we can move on.
Please read through the instructions to familiarize yourself with what to expect when the tool runs.
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Here (http://www.forospyware.com/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do Not run combofix more than once. If you have problems please post back for further instructions.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post back with the combofix log.
j_global
2009-11-30, 15:55
Hi IndieGenus,
Here's the log from Combo Fix:
ComboFix 09-11-29.06 - Global 11/30/2009 8:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.446 [GMT -5:00]
Running from: c:\documents and settings\Global\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\sstem~1
C:\Thumbs.db
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\kb913800.exe
c:\windows\stem~1
c:\windows\system32\Cache
c:\windows\system32\msvcsv60.dll
c:\windows\system32\pppatc~1
c:\windows\system32\twain_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.
2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\Global\Application Data\Malwarebytes
2009-11-26 01:11 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 01:11 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 01:11 . 2009-11-26 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 00:44 . 2009-11-26 00:44 -------- d-----w- C:\ERDNT
2009-11-26 00:43 . 2009-11-26 00:43 -------- d-----w- c:\program files\ERUNT
2009-11-22 18:45 . 2009-11-22 18:48 -------- dc-h--w- c:\windows\ie8
2009-11-22 17:54 . 2009-11-22 17:54 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-22 16:03 . 2009-11-22 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-22 16:03 . 2009-11-22 16:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 14:48 . 2009-11-30 13:41 52269088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-22 14:48 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\39940974.sys
2009-11-22 14:09 . 2009-11-22 14:09 79488 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-18 04:49 . 2009-11-18 04:49 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-10 14:26 . 2009-11-10 14:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-10 12:50 . 2009-11-10 12:50 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2009-11-09 02:25 . 2009-11-09 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Publish Providers
2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-11-09 02:24 . 2009-11-09 02:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony
2009-11-09 02:20 . 2009-11-09 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony
2009-11-09 02:16 . 2009-11-09 02:16 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-09 02:14 . 2009-11-09 02:14 37688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 02:14 . 2009-11-09 02:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP
2009-11-09 02:13 . 2009-11-09 02:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-09 02:11 . 2009-11-09 02:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2009-11-09 02:10 . 2009-11-09 02:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-06 05:50 . 2009-11-06 05:50 -------- d-----w- C:\avd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 20:34 . 2009-11-28 20:34 23895 ----a-w- C:\Results.zip
2009-11-28 20:14 . 2009-11-22 14:48 528872 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-28 14:11 . 2009-11-28 14:11 292352 ----a-w- C:\b5cjwng8.exe
2009-11-26 03:55 . 2009-11-26 03:50 -------- d-----w- c:\program files\HijackThis2
2009-11-25 22:10 . 2007-01-03 22:31 -------- d-----w- c:\documents and settings\Global\Application Data\uTorrent
2009-11-25 08:22 . 2006-05-13 13:56 81984 ----a-w- c:\windows\system32\bdod.bin
2009-11-22 18:36 . 2006-04-08 21:00 -------- d-----w- c:\program files\Google
2009-11-22 18:00 . 2006-04-08 20:44 -------- d-----w- c:\program files\Java
2009-11-22 16:50 . 2009-03-24 03:25 -------- d-----w- c:\program files\WinMorse
2009-11-18 04:48 . 2008-01-20 00:49 -------- d-----w- c:\program files\Bonjour
2009-11-09 03:12 . 2006-04-13 19:47 -------- d-----w- c:\documents and settings\Global\Application Data\Sony
2009-11-09 03:10 . 2009-03-28 20:55 16 ----a-w- c:\windows\msocreg32.dat
2009-11-09 03:09 . 2006-04-13 19:47 -------- d-----w- c:\program files\VSTplugins
2009-11-09 01:56 . 2006-04-13 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-11-09 01:55 . 2006-04-13 19:46 -------- d-----w- c:\program files\Sony
2009-10-20 21:10 . 2006-04-26 03:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-16 07:17 . 2006-04-13 20:25 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-11 09:17 . 2009-02-14 17:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 12:36 . 2009-09-07 12:36 152576 ----a-w- c:\documents and settings\Global\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-04 21:03 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-13 04:58 . 2008-10-30 22:34 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-10 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAMMON_JL2005A"="c:\program files\JL2005A\cam_mon" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-11-13 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{442E26B2-0AE9-1033-0203-060506210001}"="c:\program files\Common Files\{442E26B2-0AE9-1033-0203-060506210001}\Update.exe te-110-12-0000213" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll
"midi2"=usbmn1x1.dll
"midi3"=usbmn1x1.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [11/22/2009 9:48 AM 148496]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 5:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 11:09 AM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/17/2008 2:01 PM 104456]
S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [4/13/2006 2:41 PM 19816]
S2 FILESpy;FILESpy;\??\c:\program files\Softwin\BitDefender9\filespy.sys --> c:\program files\Softwin\BitDefender9\filespy.sys [?]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 10:12 PM 202096]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 12:06 PM 118784]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - 9DE23BFB
*Deregistered* - 9de23bfb
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005Core.job
- c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06]
2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4171330342-2219528107-224207411-1005UA.job
- c:\documents and settings\Global\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 01:06]
2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{CB68F05E-22E8-4B1A-88CA-B8953A2C5289}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Global\Application Data\Mozilla\Firefox\Profiles\kdpyzawl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\Global\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-BDSwitchAgent - c:\progra~1\softwin\BITDEF~1\bdswitch.exe
AddRemove-uTorrent - c:\program files\uTorrent\uninstall.exe
AddRemove-Waldorf.PPG.Wave2.V-OxYGeN - c:\progra~1\VSTPLU~1\Audio\Waldorf\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 08:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D53170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7696f28
\Driver\ACPI -> ACPI.sys @ 0xf7529cb8
\Driver\atapi -> atapi.sys @ 0xf74bb852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{66D2B6B0-0AC3-1D5E-AFE4FCFC2DBC1E0D}\{D0054572-6CDD-7E67-D144F5B82EF8A509}\{800AEEDD-FDE9-D9F6-54124DEBF6D799D2}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb,
d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,91,ad,bb,
d7,ad,ff,70,94,f4,b8,0c,ad,cd,f1,37,33,3c,a1,99,f3,46,77,c4,71,c9,ca,45,f6,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2D6F484-260A-7B5D-9DECE03114A71318}\{16279713-416B-AABF-512733F99CDDA7F7}\{FB965560-4DCA-8EF0-2DC335C1EACB0D08}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-30 08:51
ComboFix-quarantined-files.txt 2009-11-30 13:51
Pre-Run: 1,590,513,664 bytes free
Post-Run: 4,611,928,064 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - 38D1130E9399786F1D0C47488FF02C9B
IndiGenus
2009-11-30, 18:22
Please go to http://www.virustotal.com/en/indexf.html
Click on Browse, and upload the following file for analysis:
c:\windows\system32\drivers\39940974.sys
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.
j_global
2009-12-01, 03:34
Hi Indegenus ... not sure how much of this you need:
Result: 0/41 (0%)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.30 -
AhnLab-V3 5.0.0.2 2009.11.30 -
AntiVir 7.9.1.88 2009.11.30 -
Antiy-AVL 2.0.3.7 2009.11.30 -
Authentium 5.2.0.5 2009.11.30 -
Avast 4.8.1351.0 2009.11.30 -
AVG 8.5.0.426 2009.12.01 -
BitDefender 7.2 2009.12.01 -
CAT-QuickHeal 10.00 2009.11.30 -
ClamAV 0.94.1 2009.11.30 -
Comodo 3095 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.01 -
eSafe 7.0.17.0 2009.11.30 -
eTrust-Vet 35.1.7149 2009.12.01 -
F-Prot 4.5.1.85 2009.11.30 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.11.30 -
GData 19 2009.12.01 -
Ikarus T3.1.1.74.0 2009.11.30 -
Jiangmin 11.0.800 2009.11.29 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.12.01 -
McAfee 5818 2009.11.30 -
McAfee+Artemis 5818 2009.11.30 -
McAfee-GW-Edition 6.8.5 2009.11.30 -
Microsoft 1.5302 2009.12.01 -
NOD32 4650 2009.11.30 -
Norman 6.03.02 2009.11.30 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.11.30 -
PCTools 7.0.3.5 2009.12.01 -
Prevx 3.0 2009.12.01 -
Rising 22.24.00.09 2009.11.30 -
Sophos 4.48.0 2009.12.01 -
Sunbelt 3.2.1858.2 2009.12.01 -
Symantec 1.4.4.12 2009.12.01 -
TheHacker 6.5.0.2.082 2009.11.30 -
TrendMicro 9.100.0.1001 2009.11.30 -
VBA32 3.12.12.0 2009.11.30 -
ViRobot 2009.11.30.2062 2009.11.30 -
VirusBuster 5.0.21.0 2009.11.30 -
Additional information
File size: 148496 bytes
MD5...: 0aa3ad071827118fcc8f37f7a6ab7aa1
SHA1..: 59784c49ffe530931010070c8843366f9d7fa6f0
SHA256: 3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa
ssdeep: 3072:xoZsjyhxlNCet3MATPO1jUFLVFnRkPjcow9gT7wNwSk7Fa/4NJ:xnjyhx8A
d6jcpgTsW/KqJ
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x23010
timedatestamp.....: 0x4873470a (Tue Jul 08 10:52:58 2008)
machinetype.......: 0x14c (I386)
( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1a848 0x1aa00 6.38 ca8bbffb8c1aac75560de3ffede16f38
NONPAGED 0x1c000 0x25 0x200 0.30 76fbfaa1c4997eccce3ca016c3b1345b
.rdata 0x1d000 0x850 0xa00 4.25 6ffc26ac817e2ae1a1cf5ce42adc9f0b
.data 0x1e000 0x1b00 0x600 6.42 2680643c152bf562cae4ab5d1ed2070c
PAGE 0x20000 0x2cdc 0x2e00 6.28 7516763c152ec5b6c5df87c555fadbb5
INIT 0x23000 0x1b88 0x1c00 5.96 4459dca4b85a564cb98f26cfbff36fbe
.rsrc 0x25000 0x400 0x400 3.36 09f200edb8e02e6fa4ab2f6bc27ad921
.reloc 0x26000 0x1b6e 0x1c00 6.47 5d73a4e2a3be56c2448dbd9511deefa3
( 3 imports )
> ntoskrnl.exe: IoAllocateWorkItem, RtlDeleteElementGenericTableAvl, RtlGetElementGenericTableAvl, FsRtlIsNameInExpression, RtlInsertElementGenericTableAvl, InitSafeBootMode, InterlockedPopEntrySList, InterlockedPushEntrySList, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, SeTokenType, SeCreateClientSecurity, SeImpersonateClientEx, IoVerifyVolume, IoDeviceObjectType, IoBuildSynchronousFsdRequest, IoDeleteDevice, IoDeleteSymbolicLink, IoUnregisterShutdownNotification, MmIsAddressValid, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, IoRegisterShutdownNotification, IoCreateSymbolicLink, IoCreateDevice, RtlAppendUnicodeToString, KeDelayExecutionThread, KeQuerySystemTime, strncmp, IoGetCurrentProcess, ExGetPreviousMode, SeReleaseSubjectContext, IoQueueWorkItem, SeCaptureSubjectContext, PsDereferenceImpersonationToken, RtlCopySid, RtlLengthSid, SeQueryInformationToken, PsReferencePrimaryToken, PsReferenceImpersonationToken, PsIsThreadTerminating, IoThreadToProcess, RtlInitializeGenericTableAvl, READ_REGISTER_UCHAR, ProbeForRead, RtlLookupElementGenericTableAvl, ObQueryNameString, CmUnRegisterCallback, MmUserProbeAddress, CmRegisterCallback, ZwEnumerateValueKey, ZwDeleteValueKey, ZwQueryKey, wcsrchr, NtBuildNumber, KeClearEvent, ExInitializePagedLookasideList, ExDeletePagedLookasideList, PsLookupProcessByProcessId, RtlCopyUnicodeString, RtlNumberGenericTableElementsAvl, RtlEnumerateGenericTableAvl, PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, IoFreeWorkItem, IofCompleteRequest, IoWMIRegistrationControl, MmGetSystemRoutineAddress, RtlCompareMemory, IoWMIWriteEvent, ZwQueryInformationProcess, KeStackAttachProcess, _wcsicmp, KeUnstackDetachProcess, ZwOpenKey, ZwEnumerateKey, RtlUnicodeStringToInteger, ZwQueryValueKey, ZwCreateKey, RtlIntegerToUnicodeString, ZwSetValueKey, RtlAppendUnicodeStringToString, ZwDeleteKey, DbgBreakPoint, ZwCreateFile, IoGetRelatedDeviceObject, _vsnwprintf, KeQueryInterruptTime, strncpy, RtlInitUnicodeString, RtlCompareUnicodeString, IoFileObjectType, ObReferenceObjectByPointer, _allmul, KeWaitForMultipleObjects, KeSetEvent, ExDeleteResourceLite, ExInitializeResourceLite, memcpy, _except_handler3, ZwOpenProcess, ZwTerminateProcess, PsCreateSystemThread, ObReferenceObjectByHandle, ZwClose, PsTerminateSystemThread, ObfDereferenceObject, KeGetCurrentThread, PsGetCurrentProcessId, PsGetCurrentThreadId, RtlUpcaseUnicodeChar, RtlUpperChar, memset, ExAllocatePoolWithTag, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, SeQueryAuthenticationIdToken, ExFreePoolWithTag
> HAL.dll: KfReleaseSpinLock, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, KfAcquireSpinLock
> FLTMGR.SYS: FltQueryInformationFile, FltGetRoutineAddress, FltIsDirectory, FltGetFileNameInformation, FltParseFileNameInformation, FltAllocateCallbackData, FltPerformSynchronousIo, FltFreeCallbackData, FltReferenceFileNameInformation, FltReleaseFileNameInformation, FltGetStreamHandleContext, FltGetStreamContext, FltEnumerateVolumeInformation, FltRegisterFilter, FltStartFiltering, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltSetStreamHandleContext, FltCancelFileOpen, FltSetStreamContext, FltReleaseContext, FltGetVolumeProperties, FltAllocateContext, FltQueryVolumeInformation, FltGetVolumeName, FltSetInstanceContext, FltSetVolumeContext, FltUnregisterFilter, FltFsControlFile, FltGetVolumeFromFileObject, FltGetVolumeContext, FltGetInstanceContext, FltCreateFile, FltClose, FltFlushBuffers, FltSetInformationFile, FltWriteFile, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltObjectReference, FltAllocatePoolAlignedWithTag, FltReadFile, FltFreePoolAlignedWithTag, FltObjectDereference, FltSendMessage, FltCloseClientPort, FltCloseCommunicationPort, FltReleaseResource, FltAcquireResourceShared, FltAcquireResourceExclusive, FltGetFileNameInformationUnsafe
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Kaspersky Lab
copyright....: Copyright (c) Kaspersky Lab 1996-2008.
product......: Kaspersky Anti-Virus
description..: Klif Mini-Filter
original name: KLIF.SYS
internal name: KLIF
file version.: 7.0.0.312
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 11:54 AM 7/8/2008
verified.....: -
IndiGenus
2009-12-01, 18:32
Hi,
It looks like that file might be part of a removal tool from Kaspersky. Are you familiar with anything like that?
Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Please let me know how it's running also.
j_global
2009-12-02, 06:08
Yes, Kaspersky is a highly recommended antivirus tool I downloaded when I realized my PC was infected. I knew that bitdefender (the very highly rated AV I paid for) hadn't found anything so I wanted a second opinion.
I'll run through the other recomendations here in your last post but I am still having the issue and it feels like we're sort of giving up.
Did you see anything else that could be the root of the issue?
This is reall frustrating.
It isn't your fault though, it is mine. I appreciate that you gave it a shot.
-Jonathan
IndiGenus
2009-12-02, 08:32
I'll run through the other recomendations here in your last post but I am still having the issue and it feels like we're sort of giving up.
No, I'm no where near giving up. Please proceed with the instructions and we'll go from there.
Did you see anything else that could be the root of the issue?
Not yet, but we haven't come close to exhausting our resources. I thought maybe combofix took care of the issue. Is it any different after running it?
This is reall frustrating.
Understood. Just hang in there and we'll work through it.
j_global
2009-12-02, 15:43
Thanks for the encouragement and reassurance.
To answer your question regarding whether anything is different. If it is, I can't tell. The original issue that brought me here is still in place. I just did a search on Bing for 'finance' and clicked on one of the search results that was 'comcast/finance' which appeared to be an article on a finance blog but I was directed to a search site called 'thermocite' instead.
This was after the Malwarebytes scan and fix below.
Here's the log from the quick scan with Malwarebytes:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
12/2/2009 8:36:19 AM
mbam-log-2009-12-02 (08-36-19).txt
Scan type: Quick Scan
Objects scanned: 120662
Time elapsed: 14 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{442e26b2-0ae9-1033-0203-060506210001} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
IndiGenus
2009-12-02, 21:38
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post:
Kaspersky log
New HJT log taken after the above scan has run
Let me know how it's running too please.
j_global
2009-12-04, 14:38
Hi Indegenus,
Sorry it has taken a little longer to get back. I had a hectic couple days with work.
I ran this Kaspersky Online scan overnight last night and it ran for 8.2 hours. Thsi morning it showed no threats. I clicked on the report button and as the page was trying to load, I noticed that the scan had only run 88% instead of the expected 100%. By clicking the report link (the report was blank) and going back to the scan page, it started over with the ''accept' button.
I am running the scan again today while I am at work and will check it again when I get back.
Overall, the computer is running fine, so none of the scanning and fixing we've done has broken anything. However, the issue with the browser redirect remains.
Thanks again. You'll hear from me in about another 10 hours.
Regards,
Jonathan
IndiGenus
2009-12-06, 18:49
How are you making out here Jonathan?
j_global
2009-12-06, 18:56
Hi Indegenus,
This scan was interrupted again. The last one I ran was 9 hours, 80 something percent complete ... looking like it had stalled and I had no choice but to stop it so I could install a new development studio I need for work (the install requires 2 or 3 reboots).
It's just tough to do the really long scans on a PC that I use so often.
I am going to keep trying though. Don't give up on me yet.
-J
IndiGenus
2009-12-06, 18:58
We can try another scanner.
Eset Online Scanner (http://www.eset.com/onlinescan/)
Run with Internet Explorer
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button, or click the notification bar at the top of the window and choose to install.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
IndiGenus
2009-12-07, 00:14
Just got a heads up from other experts on a new infection causing your issues.
A quick check....
Give me a list of your Firefox Add-ons:
In Firefox click Tools --> Add-ons
j_global
2009-12-07, 03:25
Hi Indigenus
When I go to my add-ons for Firefox, I just get a list to select and add, so I think it means I don't have any add-ons installed. I am attaching a small screen shot just so you know what I am looking at.
I also have pasted in the log.txt from the Eset scan. It did find a file - an old crack for WinRar, but I don't believe that file has anything to do with my issue. I will go ahead and delete it for good measure.
First, the log.txt:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cbd34a521afd4744b2d42bb46a242bac
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-06 07:22:19
# local_time=2009-12-06 02:22:19 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=2053 16776869 100 100 0 141858025 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=250753
# found=1
# cleaned=0
# scan_time=5973
C:\Program Files\WinRAR\WRARcrk.exe probably a variant of Win32/Bifrose trojan 00000000000000000000000000000000 I
______
The screenshot of my tools / add-ons for FF is attached ato this message as a file.
IndiGenus
2009-12-07, 04:49
On the picture you attached....what shows if you click on the extensions tab (looks like puzzle piece)?
j_global
2009-12-10, 14:36
Bitdefender Anti-phishing Toolbar 2.0 (Bitdefender is my chosen Antivirus)
Java Quick Starter 1.0
Microsoft .NET Framework Assistant 1.1
j_global
2009-12-10, 14:41
Just in case you wanted to know, I am attaching a screen shot of the plug-ins tab as well.
IndiGenus
2009-12-10, 18:13
Okay that doesn't appear to be it. It has been some time in between posts here so I would like to get an update on how things look. Please run DDS again and post the logs. Also let me know how it's running.
j_global
2009-12-11, 15:04
Here's the DDS:
DDS (Ver_09-11-24.02) - NTFSx86
Run by Global at 7:59:59.74 on Fri 12/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.298 [GMT -5:00]
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Global\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\global\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CAMMON_JL2005A] c:\program files\jl2005a\cam_mon
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147699052265
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\global\applic~1\mozilla\firefox\profiles\kdpyzawl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\global\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 is-KKU82drv;is-KKU82drv;c:\windows\system32\drivers\39940974.sys [2009-11-22 148496]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-10-17 104456]
S2 Audiowerk;Emagic Audiowerk Kernel Mode Driver;c:\windows\system32\drivers\emagicaw.sys [2006-4-13 19816]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\microsoft.net\framework\v4.0.21006\mscorsvw.exe [2009-10-7 129856]
S2 FILESpy;FILESpy;\??\c:\program files\softwin\bitdefender9\filespy.sys --> c:\program files\softwin\bitdefender9\filespy.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
S3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys --> c:\windows\system32\drivers\usbmm1x1.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [2009-10-7 752984]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
=============== Created Last 30 ================
2009-12-05 17:56:23 0 d-----w- C:\669074bf335f3f983877cf19bb24f4
2009-12-05 17:44:30 165 ----a-w- c:\windows\system32\spupdsvc.inf
2009-12-05 17:33:14 0 d-----w- c:\program files\IIS
2009-12-05 17:26:48 0 d-----w- c:\program files\Microsoft Visual Studio 10.0
2009-12-05 16:34:30 0 d-----w- c:\program files\Microsoft
2009-11-30 13:01:13 0 d-sha-r- C:\cmdcons
2009-11-30 12:57:59 98816 ----a-w- c:\windows\sed.exe
2009-11-30 12:57:59 77312 ----a-w- c:\windows\MBR.exe
2009-11-30 12:57:59 260608 ----a-w- c:\windows\PEV.exe
2009-11-30 12:57:59 161792 ----a-w- c:\windows\SWREG.exe
2009-11-28 20:34:18 23895 ----a-w- C:\Results.zip
2009-11-28 14:11:12 292352 ----a-w- C:\b5cjwng8.exe
2009-11-26 03:50:50 0 d-----w- c:\program files\HijackThis2
2009-11-26 01:11:43 0 d-----w- c:\docume~1\global\applic~1\Malwarebytes
2009-11-26 01:11:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 01:11:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 01:11:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 01:11:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 18:45:07 0 dc-h--w- c:\windows\ie8
2009-11-22 16:03:47 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 16:03:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-22 14:48:26 1502120 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-22 14:48:26 134658080 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-22 14:48:01 148496 ----a-w- c:\windows\system32\drivers\39940974.sys
2009-11-18 04:49:01 0 d-----w- c:\windows\system32\wbem\Repository
==================== Find3M ====================
2009-11-25 08:22:58 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 10:31:18 17744 ----a-w- c:\windows\system32\aspnet_counters.dll
2009-10-07 07:44:58 767312 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2009-10-07 07:44:58 70456 ----a-w- c:\windows\system32\dxva2.dll
2009-10-07 07:44:58 486200 ----a-w- c:\windows\system32\evr.dll
2009-10-07 07:17:56 99160 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-10-07 07:17:56 48960 ----a-w- c:\windows\system32\netfxperf.dll
2009-10-07 07:17:56 297792 ----a-w- c:\windows\system32\mscoree.dll
2009-10-07 07:17:56 295248 ----a-w- c:\windows\system32\PresentationHost.exe
2009-10-07 07:17:56 158032 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-07 07:17:56 1130816 ----a-w- c:\windows\system32\dfshim.dll
2009-10-02 04:44:07 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-16 02:35:20 156488 ----a-w- c:\windows\system32\mscorier.dll
============= FINISH: 8:03:20.27 ===============
j_global
2009-12-11, 15:07
Attach.zip is attached.
j_global
2009-12-11, 15:15
IndiGenus,
The problem with the browser still exists but the computer is running fine otherwise.
Just a heads up, I leave for a 2 week vacation cruise on Saturday. My computer will be off the whole time I am gone and I would like to resume the work on this problem upon my return.
Are you OK with that? I don't necessarily want to have to start from scratch if I can help it.
Again, I really appreciate your help so far.
IndiGenus
2009-12-11, 18:39
Just a heads up, I leave for a 2 week vacation cruise on Saturday.
IndiGenus is very jealous!
We'll keep the thread open. Not seeing anything there in DDS. We'll start back up when you get back. Enjoy your vacation.
j_global
2009-12-12, 04:33
I really appreciate it. You'll hear from me around the 27th. -J
j_global, still with us? :)
This thread has been closed due to inactivity.
If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.
Applies only to the original poster, anyone else with similar problems please start your own topic.