PDA

View Full Version : virtumonde.prx and "google.com/webph"


tinsong
2010-07-08, 20:06
Hi,

Thanks for your help in advance.

I ran Spybot S&D 1.6.2.46 and Virtumonde.prx popped up.

Symptoms: A new tab opens with "google.com/webph" and when I click links (on normal google search not the /webph site) it re-directs me to various pages and does not allow me to go on these forums. I'm using Firefox 3.5.10.

I've backed up my registry and here is the DDS report.

####################################################

DDS (Ver_10-03-17.01) - NTFSx86
Run by Christina at 10:50:22.51 on Thu 07/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1860 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Christina\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\java\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [TomTomHOME.exe] "i:\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Qrojutegefixi] rundll32.exe "c:\windows\wsizhc.dll",Startup
mRun: [NVRTCLK] c:\windows\system32\nvrtclk\NVRTClk.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Prolific_OneButton] c:\program files\usbfast\OneBtn.exe
mRun: [Sburiqemejizuqu] rundll32.exe "c:\windows\umabidovugiyar.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\er48jyq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\christina\application data\mozilla\firefox\profiles\er48jyq2.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: g:\java\bin\new_plugin\npdeploytk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {809D8F5A-070D-4A44-8FE1-AEACA1356576} - c:\documents and settings\christina\local settings\application data\{809d8f5a-070d-4a44-8fe1-aeaca1356576}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2010-3-10 16384]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2010-3-10 16640]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2003-10-10 198144]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-07-08 14:05:47 91 ----a-w- c:\windows\wininit.ini
2010-07-08 08:12:52 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-08 08:12:52 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-08 08:12:52 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-08 08:12:52 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-08 08:12:52 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-08 08:12:52 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-08 08:12:52 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-08 08:12:52 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-08 08:12:46 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-08 08:12:46 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-08 08:12:42 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-08 08:12:42 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-05 17:51:57 120 ----a-w- c:\windows\Spodozanijuduli.dat
2010-07-05 17:51:57 0 ----a-w- c:\windows\Ocaqi.bin
2010-06-15 06:02:14 3471 ----a-w- c:\documents and settings\christina\.recently-used.xbel

==================== Find3M ====================

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-11 22:18:44 49422754 ----a-w- c:\program files\netbeans-6.8-ml-javase-windows.exe
2010-04-10 04:38:05 80394008 ----a-w- c:\program files\jdk-6u19-windows-i586.exe

============= FINISH: 10:51:59.79 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/5/2003 4:35:02 PM
System Uptime: 7/8/2010 9:43:45 AM (1 hours ago)

Motherboard: Shuttle Inc | | AN35
Processor: AMD Athlon(tm) | Socket A | 1094/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 19 GiB total, 5.307 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_05311297&REV_A2\3&13C0B0C5&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_05311297&REV_A2\3&13C0B0C5&0&09
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Compact Wireless-G USB Network Adapter with SpeedBooster ver.2
Device ID: USB\VID_1737&PID_0075\00
Manufacturer: Linksys, A Division of Cisco
Name: Compact Wireless-G USB Network Adapter with SpeedBooster ver.2
PNP Device ID: USB\VID_1737&PID_0075\00
Service: WUSB54GSCV2

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&20
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&20
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_10DE&DEV_006A&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&30
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_10DE&DEV_006A&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&30
Service:

==== System Restore Points ===================

RP284: 6/20/2010 9:42:36 AM - System Checkpoint
RP285: 6/21/2010 9:51:25 AM - System Checkpoint
RP286: 6/22/2010 10:10:50 AM - System Checkpoint
RP287: 6/23/2010 10:27:53 AM - System Checkpoint
RP288: 6/24/2010 3:00:18 AM - Software Distribution Service 3.0
RP289: 6/25/2010 3:18:35 AM - System Checkpoint
RP290: 6/26/2010 4:13:51 AM - System Checkpoint
RP291: 6/27/2010 5:09:23 AM - System Checkpoint
RP292: 6/28/2010 6:04:44 AM - System Checkpoint
RP293: 6/29/2010 7:00:01 AM - System Checkpoint
RP294: 6/30/2010 9:04:21 AM - System Checkpoint
RP295: 7/1/2010 9:13:13 AM - System Checkpoint
RP296: 7/2/2010 9:22:18 AM - System Checkpoint
RP297: 7/3/2010 10:31:55 AM - System Checkpoint
RP298: 7/4/2010 11:34:45 AM - System Checkpoint
RP299: 7/5/2010 11:40:26 AM - System Checkpoint
RP300: 7/6/2010 11:14:10 PM - System Checkpoint
RP301: 7/8/2010 12:05:03 AM - System Checkpoint
RP302: 7/8/2010 10:21:28 AM - Removed Quake Live Mozilla Plugin

==== Installed Programs ======================


Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AIM 7
Akamai NetSession Interface
ArcGIS Desktop Evaluation Edition
Canon MP Navigator EX 1.0
Canon MP210 series
Compact Wireless-G USB Network Adapter with SpeedBooster
Connect
Download Updater (AOL LLC)
EA Download Manager
ERUNT 1.1j
Getting to Know ArcGIS Desktop - Exercise Data
GIMP 2.6.7
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IL Download Manager
iSEEK AnswerWorks English Runtime
Java Auto Updater
Java DB 10.5.3.0
Java(TM) 6 Update 16
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Java(TM) SE Development Kit 6 Update 19
JCreator LE 4.50
kuler
LightScribe System Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.5.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
NetBeans IDE 6.8
NVIDIA Drivers
PDF Settings CS4
Photoshop Camera Raw
Python 2.5 numpy-1.0.3
Python 2.5.1
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB982381)
Skype™ 4.1
Spybot - Search & Destroy
Suite Shared Configuration CS4
The Sims™ 3
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
USBFast
Visual Basic for Applications (R) Core
Visual Basic for Applications (R) Core - English
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/5/2010 8:28:29 PM, error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 8:28:24 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 8:28:04 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 11:56:29 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/5/2010 11:56:29 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the winmgmt service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2010 7:41:40 AM, error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2010 7:41:40 AM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2010 7:41:40 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified.
7/3/2010 7:41:40 AM, error: Service Control Manager [7000] - The Computer Browser service failed to start due to the following error: All pipe instances are busy.
7/2/2010 1:45:39 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer IRVTIN-50FA64 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6319945F-F9C8-. The master browser is stopping or an election is being forced.

==== End Of File ===========================

fresh DDS report with tea timer OFF. sorry about that. p.s. I'm currently transferring these logs via USB because I've turned off the connection on the infected computer. Is this a safe way?



DDS (Ver_10-03-17.01) - NTFSx86
Run by Christina at 11:14:21.60 on Thu 07/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2166 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Christina\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\java\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [TomTomHOME.exe] "i:\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Qrojutegefixi] rundll32.exe "c:\windows\wsizhc.dll",Startup
mRun: [NVRTCLK] c:\windows\system32\nvrtclk\NVRTClk.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Prolific_OneButton] c:\program files\usbfast\OneBtn.exe
mRun: [Sburiqemejizuqu] rundll32.exe "c:\windows\umabidovugiyar.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\er48jyq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\christina\application data\mozilla\firefox\profiles\er48jyq2.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: g:\java\bin\new_plugin\npdeploytk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {809D8F5A-070D-4A44-8FE1-AEACA1356576} - c:\documents and settings\christina\local settings\application data\{809D8F5A-070D-4A44-8FE1-AEACA1356576}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gscv2\WLService.exe [2003-10-10 65596]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2010-3-10 16384]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2010-3-10 16640]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2003-10-10 198144]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-07-08 14:05:47 91 ----a-w- c:\windows\wininit.ini
2010-07-08 08:12:52 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-08 08:12:52 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-08 08:12:52 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-08 08:12:52 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-08 08:12:52 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-08 08:12:52 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-08 08:12:52 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-08 08:12:52 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-08 08:12:46 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-08 08:12:46 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-08 08:12:42 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-08 08:12:42 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-05 17:51:57 120 ----a-w- c:\windows\Spodozanijuduli.dat
2010-07-05 17:51:57 0 ----a-w- c:\windows\Ocaqi.bin
2010-06-15 06:02:14 3471 ----a-w- c:\documents and settings\christina\.recently-used.xbel

==================== Find3M ====================

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-11 22:18:44 49422754 ----a-w- c:\program files\netbeans-6.8-ml-javase-windows.exe
2010-04-10 04:38:05 80394008 ----a-w- c:\program files\jdk-6u19-windows-i586.exe

============= FINISH: 11:15:43.25 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/5/2003 4:35:02 PM
System Uptime: 7/8/2010 11:12:10 AM (0 hours ago)

Motherboard: Shuttle Inc | | AN35
Processor: AMD Athlon(tm) XP | Socket A | 1094/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 19 GiB total, 5.344 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_05311297&REV_A2\3&13C0B0C5&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_05311297&REV_A2\3&13C0B0C5&0&09
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Compact Wireless-G USB Network Adapter with SpeedBooster ver.2
Device ID: USB\VID_1737&PID_0075\00
Manufacturer: Linksys, A Division of Cisco
Name: Compact Wireless-G USB Network Adapter with SpeedBooster ver.2
PNP Device ID: USB\VID_1737&PID_0075\00
Service: WUSB54GSCV2

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&20
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&20
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_10DE&DEV_006A&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&30
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_10DE&DEV_006A&SUBSYS_05311297&REV_A1\3&13C0B0C5&0&30
Service:

==== System Restore Points ===================

RP284: 6/20/2010 9:42:36 AM - System Checkpoint
RP285: 6/21/2010 9:51:25 AM - System Checkpoint
RP286: 6/22/2010 10:10:50 AM - System Checkpoint
RP287: 6/23/2010 10:27:53 AM - System Checkpoint
RP288: 6/24/2010 3:00:18 AM - Software Distribution Service 3.0
RP289: 6/25/2010 3:18:35 AM - System Checkpoint
RP290: 6/26/2010 4:13:51 AM - System Checkpoint
RP291: 6/27/2010 5:09:23 AM - System Checkpoint
RP292: 6/28/2010 6:04:44 AM - System Checkpoint
RP293: 6/29/2010 7:00:01 AM - System Checkpoint
RP294: 6/30/2010 9:04:21 AM - System Checkpoint
RP295: 7/1/2010 9:13:13 AM - System Checkpoint
RP296: 7/2/2010 9:22:18 AM - System Checkpoint
RP297: 7/3/2010 10:31:55 AM - System Checkpoint
RP298: 7/4/2010 11:34:45 AM - System Checkpoint
RP299: 7/5/2010 11:40:26 AM - System Checkpoint
RP300: 7/6/2010 11:14:10 PM - System Checkpoint
RP301: 7/8/2010 12:05:03 AM - System Checkpoint
RP302: 7/8/2010 10:21:28 AM - Removed Quake Live Mozilla Plugin

==== Installed Programs ======================


Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AIM 7
Akamai NetSession Interface
ArcGIS Desktop Evaluation Edition
Canon MP Navigator EX 1.0
Canon MP210 series
Compact Wireless-G USB Network Adapter with SpeedBooster
Connect
Download Updater (AOL LLC)
EA Download Manager
ERUNT 1.1j
Getting to Know ArcGIS Desktop - Exercise Data
GIMP 2.6.7
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IL Download Manager
iSEEK AnswerWorks English Runtime
Java Auto Updater
Java DB 10.5.3.0
Java(TM) 6 Update 16
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Java(TM) SE Development Kit 6 Update 19
JCreator LE 4.50
kuler
LightScribe System Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.5.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
NetBeans IDE 6.8
NVIDIA Drivers
PDF Settings CS4
Photoshop Camera Raw
Python 2.5 numpy-1.0.3
Python 2.5.1
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB982381)
Skype™ 4.1
Spybot - Search & Destroy
Suite Shared Configuration CS4
The Sims™ 3
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
USBFast
Visual Basic for Applications (R) Core
Visual Basic for Applications (R) Core - English
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/5/2010 8:28:29 PM, error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 8:28:24 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 8:28:04 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
7/5/2010 11:56:29 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/5/2010 11:56:29 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the winmgmt service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
7/3/2010 7:41:40 AM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2010 7:41:40 AM, error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2010 7:41:40 AM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2010 7:41:40 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified.
7/3/2010 7:41:40 AM, error: Service Control Manager [7000] - The Computer Browser service failed to start due to the following error: All pipe instances are busy.
7/2/2010 1:45:39 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer IRVTIN-50FA64 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6319945F-F9C8-. The master browser is stopping or an election is being forced.

==== End Of File ===========================

update on the situation:

I ran malware bytes anti-malware and came up with 5 infections including Trojan.Hiloti, Rouge.Installer (and forgive me I forgot the rest). Here is the MBAM report.

atabase version: 4293

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/8/2010 1:48:51 PM
mbam-log-2010-07-08 (13-48-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 204911
Time elapsed: 34 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\wsizhc.dll (Trojan.Hiloti) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrojutegefixi (Trojan.Hiloti) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\wsizhc.dll (Trojan.Hiloti) -> No action taken.
C:\System Volume Information\_restore{B4852261-8A13-4800-8585-D334761D62BC}\RP302\A0021060.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> No action taken.
ken545
2010-07-13, 02:06
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Please rerun Malwarebytes and this time fix whatever it finds, having it set to take no action didn't accomplish much. Then post the new log



Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
tinsong
2010-07-13, 05:38
Hi,

Thanks for your help!

I have been running both spybot and MBAM numerous times and is currently coming up "clean". But the symptoms are still present. Redirect when clicking links on google for McAfee and Sypbot. As I was reading the bleeping computer article two new tabs opened up with a url something like... 123.231.13 / ph

I ran combofix and mid scan the computer restarted.
ken545
2010-07-13, 10:21
Lets try running Combofix in Safemode.

First drag CF to the trash and grab a fresh copy.

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop





To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
tinsong
2010-07-13, 21:53
MBAM log (before combofix) and combofix log. in safe mode combofix said it has a rootkit activity then restarted and resumed the scan.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4301

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/12/2010 11:06:28 PM
mbam-log-2010-07-12 (23-06-28).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 201024
Time elapsed: 1 hour(s), 0 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

################Start of combofix log###############


ComboFix 10-07-12.06 - Christina 07/13/2010 12:28:52.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2283 [GMT -7:00]
Running from: c:\documents and settings\Christina\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Christina\Local Settings\Application Data\{809D8F5A-070D-4A44-8FE1-AEACA1356576}
c:\documents and settings\Christina\Local Settings\Application Data\{809D8F5A-070D-4A44-8FE1-AEACA1356576}\chrome.manifest
c:\documents and settings\Christina\Local Settings\Application Data\{809D8F5A-070D-4A44-8FE1-AEACA1356576}\chrome\content\_cfg.js
c:\documents and settings\Christina\Local Settings\Application Data\{809D8F5A-070D-4A44-8FE1-AEACA1356576}\chrome\content\overlay.xul
c:\documents and settings\Christina\Local Settings\Application Data\{809D8F5A-070D-4A44-8FE1-AEACA1356576}\install.rdf
c:\windows\ONSPCLCK.exe

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-13 19:13 . 2010-07-13 19:13 -------- d-----w- c:\program files\ERUNT
2010-07-13 05:04 . 2010-07-05 21:30 3687344 ----a-w- c:\documents and settings\Christina\Application Data\Simply Super Software\Trojan Remover\yrn16.exe
2010-07-13 00:45 . 2010-07-13 05:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-13 00:42 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-07-13 00:42 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-07-13 00:42 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-07-13 00:42 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-07-13 00:42 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-07-13 00:42 . 2010-07-13 00:42 -------- d-----w- c:\program files\Trojan Remover
2010-07-13 00:42 . 2010-07-13 00:42 -------- d-----w- c:\documents and settings\Christina\Application Data\Simply Super Software
2010-07-13 00:42 . 2010-07-13 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-07-11 04:52 . 2010-02-17 23:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-11 04:52 . 2010-02-17 23:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-07-11 04:52 . 2010-02-17 23:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-11 04:51 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-11 04:50 . 2010-07-11 04:52 -------- d-----w- c:\program files\Common Files\McAfee
2010-07-11 04:50 . 2010-07-11 04:50 -------- d-----w- c:\program files\McAfee.com
2010-07-11 04:50 . 2010-07-11 23:51 -------- d-----w- c:\program files\McAfee
2010-07-11 04:48 . 2010-02-17 23:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-07-11 04:47 . 2010-07-12 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-08 19:47 . 2010-07-08 19:47 -------- d-----w- c:\documents and settings\Christina\Application Data\Malwarebytes
2010-07-08 19:47 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-08 19:47 . 2010-07-08 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-08 19:46 . 2010-07-10 02:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-08 19:46 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-08 09:08 . 2010-07-08 09:08 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-07-08 08:12 . 2001-08-18 05:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-08 08:12 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-08 08:12 . 2001-08-18 05:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-08 08:12 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-08 08:12 . 2001-08-17 21:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-08 08:12 . 2001-08-17 21:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-08 08:12 . 2008-04-14 12:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-08 08:12 . 2008-04-14 12:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-05 17:51 . 2010-07-08 16:47 120 ----a-w- c:\windows\Spodozanijuduli.dat
2010-07-05 17:51 . 2010-07-08 16:47 0 ----a-w- c:\windows\Ocaqi.bin
2010-06-24 10:19 . 2010-06-24 10:19 149376 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 19:11 . 2010-01-14 22:14 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-11 21:09 . 2003-10-12 16:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 07:35 . 2003-10-12 07:53 -------- d-----w- c:\program files\Java
2010-07-08 19:21 . 2003-10-20 01:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-30 18:40 . 2009-11-06 18:35 -------- d-----w- c:\documents and settings\Christina\Application Data\Skype
2010-06-30 15:18 . 2009-11-06 18:40 -------- d-----w- c:\documents and settings\Christina\Application Data\skypePM
2010-06-15 06:02 . 2009-12-15 18:46 -------- d-----w- c:\documents and settings\Christina\Application Data\gtk-2.0
2010-06-09 18:19 . 2010-01-04 19:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-11 22:18 . 2010-04-11 22:17 49422754 ----a-w- c:\program files\netbeans-6.8-ml-javase-windows.exe
2010-04-10 04:38 . 2010-04-10 04:37 80394008 ----a-w- c:\program files\jdk-6u19-windows-i586.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-02-25 2387968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"nwiz"="nwiz.exe" [2009-02-09 1657376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\Christina\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TomTomHOME.exe"="i:\tomtom home 2\TomTomHOMERunner.exe"
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TrojanScanner"=c:\program files\Trojan Remover\Trjscan.exe /boot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 5:00 AM 14336]
S2 WUSB54GSC;WUSB54GSC;c:\program files\Linksys\WUSB54GSCv2\WLService.exe [10/10/2003 8:24 PM 65596]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [3/10/2010 10:46 AM 16384]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [3/10/2010 10:46 AM 16640]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [10/10/2003 8:24 PM 198144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-02-25 19:12 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-11 19:22]

2010-07-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-11 19:22]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Christina\Application Data\Mozilla\Firefox\Profiles\er48jyq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com
FF - plugin: c:\documents and settings\Christina\Application Data\Mozilla\Firefox\Profiles\er48jyq2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKLM-Run-Prolific_OneButton - c:\program files\USBFast\OneBtn.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-13 12:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-07-13 12:42:51
ComboFix-quarantined-files.txt 2010-07-13 19:42

Pre-Run: 5,807,570,944 bytes free
Post-Run: 5,823,344,640 bytes free

- - End Of File - - 4C4C4675572D4D1216779AC017ABB21C
ken545
2010-07-14, 00:09
Hi,

I tell ya, these dirtbags that write this garbage are infecting anything they can, in your case they infected pciide.sys which is the Generic PCI IDE Bus Driver.

Combofix should run fine in normal windows now

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above the URL




http://forums.spybot.info/showthread.php?t=58435

Collect::
c:\windows\Spodozanijuduli.dat
c:\windows\Ocaqi.bin


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
tinsong
2010-07-14, 17:33
ComboFix 10-07-12.06 - Christina 07/14/2010 8:20.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1890 [GMT -7:00]
Running from: c:\documents and settings\Christina\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christina\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\Ocaqi.bin
file zipped: c:\windows\Spodozanijuduli.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ocaqi.bin
c:\windows\Spodozanijuduli.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-14 06:10 . 2010-07-05 21:30 3687344 ----a-w- c:\documents and settings\Christina\Application Data\Simply Super Software\Trojan Remover\jsl1A.exe
2010-07-13 19:13 . 2010-07-13 19:13 -------- d-----w- c:\program files\ERUNT
2010-07-13 00:45 . 2010-07-14 06:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-13 00:42 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-07-13 00:42 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-07-13 00:42 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-07-13 00:42 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-07-13 00:42 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-07-13 00:42 . 2010-07-13 00:42 -------- d-----w- c:\program files\Trojan Remover
2010-07-13 00:42 . 2010-07-13 00:42 -------- d-----w- c:\documents and settings\Christina\Application Data\Simply Super Software
2010-07-13 00:42 . 2010-07-13 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-07-11 04:52 . 2010-02-17 23:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-11 04:52 . 2010-02-17 23:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-07-11 04:52 . 2010-02-17 23:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-11 04:51 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-11 04:50 . 2010-07-11 04:52 -------- d-----w- c:\program files\Common Files\McAfee
2010-07-11 04:50 . 2010-07-11 04:50 -------- d-----w- c:\program files\McAfee.com
2010-07-11 04:50 . 2010-07-11 23:51 -------- d-----w- c:\program files\McAfee
2010-07-11 04:48 . 2010-02-17 23:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-07-11 04:47 . 2010-07-12 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-08 19:47 . 2010-07-08 19:47 -------- d-----w- c:\documents and settings\Christina\Application Data\Malwarebytes
2010-07-08 19:47 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-08 19:47 . 2010-07-08 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-08 19:46 . 2010-07-10 02:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-08 19:46 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-08 09:08 . 2010-07-08 09:08 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-07-08 08:12 . 2001-08-18 05:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-08 08:12 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-08 08:12 . 2001-08-18 05:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-08 08:12 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-08 08:12 . 2001-08-17 21:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-08 08:12 . 2001-08-17 21:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-08 08:12 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-08 08:12 . 2008-04-14 12:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-08 08:12 . 2008-04-14 12:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-06-24 10:19 . 2010-06-24 10:19 149376 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 15:16 . 2010-01-14 22:14 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-11 21:09 . 2003-10-12 16:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 07:35 . 2003-10-12 07:53 -------- d-----w- c:\program files\Java
2010-07-08 19:21 . 2003-10-20 01:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-30 18:40 . 2009-11-06 18:35 -------- d-----w- c:\documents and settings\Christina\Application Data\Skype
2010-06-30 15:18 . 2009-11-06 18:40 -------- d-----w- c:\documents and settings\Christina\Application Data\skypePM
2010-06-15 06:02 . 2009-12-15 18:46 -------- d-----w- c:\documents and settings\Christina\Application Data\gtk-2.0
2010-06-09 18:19 . 2010-01-04 19:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-11 22:18 . 2010-04-11 22:17 49422754 ----a-w- c:\program files\netbeans-6.8-ml-javase-windows.exe
2010-04-10 04:38 . 2010-04-10 04:37 80394008 ----a-w- c:\program files\jdk-6u19-windows-i586.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-07-13_19.38.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-14 02:51 . 2010-07-14 02:51 16384 c:\windows\Temp\Perflib_Perfdata_4f8.dat
+ 2003-10-05 23:36 . 2010-07-14 15:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-10-05 23:36 . 2010-07-13 19:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-10-05 23:36 . 2010-07-14 15:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-10-05 23:36 . 2010-07-13 19:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-14 15:16 . 2010-07-14 15:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-13 19:46 . 2010-07-13 19:46 196608 c:\windows\ERDNT\AutoBackup\7-13-2010\Users\00000002\UsrClass.dat
+ 2010-07-13 19:46 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\7-13-2010\ERDNT.EXE
+ 2010-07-13 19:46 . 2010-07-13 19:46 8409088 c:\windows\ERDNT\AutoBackup\7-13-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-02-25 2387968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"nwiz"="nwiz.exe" [2009-02-09 1657376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\Christina\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TomTomHOME.exe"="i:\tomtom home 2\TomTomHOMERunner.exe"
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TrojanScanner"=c:\program files\Trojan Remover\Trjscan.exe /boot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 5:00 AM 14336]
R2 WUSB54GSC;WUSB54GSC;c:\program files\Linksys\WUSB54GSCv2\WLService.exe [10/10/2003 8:24 PM 65596]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [3/10/2010 10:46 AM 16384]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [3/10/2010 10:46 AM 16640]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [10/10/2003 8:24 PM 198144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-02-25 19:12 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-11 19:22]

2010-07-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-11 19:22]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Christina\Application Data\Mozilla\Firefox\Profiles\er48jyq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.yahoo.com
FF - plugin: c:\documents and settings\Christina\Application Data\Mozilla\Firefox\Profiles\er48jyq2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 08:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-07-14 08:30:31
ComboFix-quarantined-files.txt 2010-07-14 15:30
ComboFix2.txt 2010-07-13 19:42

Pre-Run: 5,886,607,360 bytes free
Post-Run: 5,879,787,520 bytes free

- - End Of File - - E7E574EADE18C52E9051023606DF673E
ken545
2010-07-14, 18:43
Looking good, lets sweep for anything the scans may have missed

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
tinsong
2010-07-14, 18:54
After installing ActiveX its asking if I want to instal "OnlineScanner.cab" publisher: ESET,spol.s.r.o.

Do I install?
ken545
2010-07-14, 19:09
Yes, its safe to install
tinsong
2010-07-14, 19:46
Everything seems to be working ok. No redirects or random new tabs when I go to help sites. My dad downloaded Trojan remover is this a legit program? And what programs can I remove now?

Thanks for your help!


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=529e544f5372c64dbf1bffd1c81422f1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-14 05:43:05
# local_time=2010-07-14 10:43:05 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776869 100 96 0 31960130 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=68013
# found=0
# cleaned=0
# scan_time=2383
ken545
2010-07-14, 19:55
Hi,

Glad things are better for you. Trojan Remover is legit and ok. You have Malwarebytes installed and its the free version, this is a great program and yours to keep.


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK.
Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.




How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken
tinsong
2010-07-15, 07:48
so far every thing looks good! I have just a couple of questions. What does the pciide.sys, Generic PCI IDE BUS driver, affect? The usb ports? I used a usb thumb drive when the computer was infected; should I be concerned?

Thank you so much again!
ken545
2010-07-15, 10:21
That driver runs your hard drive, but these infections can infect a usb drive as well.

To be on the safeside run this program

Please download Flash_Disinfector.exe (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) by sUBs and save it to your desktop:


Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.
tinsong
2010-07-17, 05:19
Hi

Nothing showed up during the scan. I really appreciate your help. Thanks again!
ken545
2010-07-17, 11:39
Your very welcome :)

Take care,
Ken