View Full Version : *HELP PLEASE* Live messenger closing on sign in, Chrome not opening, Redirect issues
Hi,
I am having several problems. Firstly, it started off with the common redirect issue. I type something into google and I am redirected to "fastsearch". Although recently, when I click the google chrome icon - it does not launch and when I enter ANY password (correct/incorrect) and sign in to Windows Live Messenger - the program immediately closes.
I have since resintalled google chrome and the problem still persists. I uninstalled windows live messenger but now I cannot reinstall it for some reason half way through the setup, the setup box disappears.
I'm assuming this could be because windows live is a microsoft product - a website which I CANNOT access. (microsoft.com)
Could someone help me with this, I will follow each step as you suggest, thanks alot.
shelf life
2011-03-29, 23:36
hi,
Iam going to 'guess' on this. we will get two downloads for you to use, the first hopefully will take care of the redirection, the second will just show some information;
1) Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.
Once the scan completes you can click the continue button.
"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."
"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might require after disinfection."
A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)
Please post the log report
2) Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Please Copy/paste both logs in your reply.
Thanks for the quick reply.
It seems as if the malware has blocked both of those links. I get this message in IE when clicking them;
Internet Explorer cannot display the webpage
What you can try:
Diagnose Connection Problems
More information
Any suggestions? Thanks again.
shelf life
2011-04-01, 03:07
It seems as if the malware has blocked both of those links.
So you can get to other sites ok? Like here?
Could you download TDSSkiller on another computer like on a usb flash drive and transfer the file that way?
Iam assuming you have a certain type of malware that this (TDSSkiller) would take care of, but its possible you dont have it but may just have a modified host file.
you can also try these two links to get the other downloads and run them:
Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
This one requires you read a guide first. Read through the guide then apply the directions on your own machine. Post the combofix log.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
I download all the programs as you said.
TDSSkiller found nothing.
---------------------
MalwareBytes log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6259
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
06/04/2011 19:59:56
mbam-log-2011-04-06 (19-59-51).txt
Scan type: Full scan (C:\|)
Objects scanned: 320304
Time elapsed: 2 hour(s), 5 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 33
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 9
Files Infected: 47
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\nmklo.dll (Worm.Mariofev) -> No action taken.
c:\documents and settings\all users\application data\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.
c:\WINDOWS\system32\gvqrn4.dll (Password.Stealer) -> No action taken.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (Trojan.Proxy) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3C4FFAAE-04BA-494A-9099-D1C744272AAD} (Password.Stealer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3C4FFAAE-04BA-494A-9099-D1C744272AAD} (Password.Stealer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1602F07D-8BF3-4c08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{C55CA95C-324B-451C-B2D2-6E895AA75FEC} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info.1 (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{419EDA30-6DFF-432C-B534-E15D899ABEE4} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClickPotatoLiteSA (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> No action taken.
HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (Trojan.Proxy) -> Value: {96AFBE69-C3B0-4B00-8578-D933D2896EE2} -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4b00-8578-D933D2896EE2} -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\COMMON FILES\SPIGOT\WTXPCOM\COMPONENTS\WIDGITOOLBARFF.DLL (Adware.WidgiToolbar) -> Value: WIDGITOOLBARFF.DLL -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Value: netsvc -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> No action taken.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.
Folders Infected:
c:\documents and settings\all users\application data\clickpotatolitesa (Adware.ClickPotato) -> No action taken.
c:\documents and settings\User\application data\clickpotatolite (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0 (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato (Adware.ClickPotato) -> No action taken.
Files Infected:
c:\WINDOWS\system32\nmklo.dll (Worm.Mariofev) -> No action taken.
c:\documents and settings\all users\application data\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.
c:\WINDOWS\system32\gvqrn4.dll (Password.Stealer) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesaax.dll (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesabho.dll (Adware.ClickPotato) -> No action taken.
c:\documents and settings\KK\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\User\local settings\Temp\miu187.tmp.exe (Backdoor.Bot) -> No action taken.
c:\documents and settings\User\local settings\Temp\miu1b5.tmp.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\User\my documents\downloads\xvidsetup (1).exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\User\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> No action taken.
c:\program files\adobephotoshopcs3\adobe_photoshop_cs3\Msvcrt.dll (Malware.Packer.Gen) -> No action taken.
c:\program files\adobephotoshopcs3\adobe_photoshop_cs3\Shfolder.dll (Malware.Packer.Gen) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesa.exe (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesahook.dll (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatoliteuninstaller.exe (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins\npclntax_clickpotatolitesa.dll (Adware.ClickPotato) -> No action taken.
c:\program files\common files\Spigot\wtxpcom\components\widgitoolbarff.dll (Adware.WidgiToolbar) -> No action taken.
c:\program files\mozilla firefox\plugins\npclntax_clickpotatolitesa.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203659.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203660.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203661.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203662.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203663.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203664.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0204446.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207358.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207359.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207360.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207361.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207362.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207363.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0208147.dll (Adware.ClickPotato) -> No action taken.
c:\WINDOWS\system32\cooper.mine (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\h7t.wt (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\hgtd.ruy (Malware.Trace) -> No action taken.
c:\documents and settings\User\local settings\Temp\utt218.tmp.exe (Trojan.Pakes) -> No action taken.
c:\WINDOWS\system32\bilmux2.dll (Password.Stealer) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaabout.mht (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaau.dat (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaeula.mht (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa_hpk.dat (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa_kyf_update.dat (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato\About Us.lnk (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato\clickpotato customer support.lnk (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato\clickpotato uninstall instructions.lnk (Adware.ClickPotato) -> No action taken.
DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 17:41:51.17 on 06/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.459 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NCH Software\BroadCam\broadcam.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\yoeecjes\huvqmjng.exe
BHO: Internet Explorer Plugin: {0cb59d0c-4a96-4fc5-b8bd-29af4a0ee3e2} - gvqrn4.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.3\youtubedownloaderToolbarIE.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.3\youtubedownloaderToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\user\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\clickpotatolite\bin\10.0.630.0\ClickPotatoLiteSABHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {3C4FFAAE-04BA-494A-9099-D1C744272AAD} - rundll32 gvqrn4.dll,laspi
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ywwca10i.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: ClickPotatoLite Component: ClickPotatoLite@ClickPotatoLite.com - c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.
============= SERVICES / DRIVERS ===============
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-28 33824]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-1-28 387072]
R2 BroadCamService;BroadCam Video Streaming Server;c:\program files\nch software\broadcam\broadcam.exe [2011-1-26 1175556]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-7 20968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-10 14336]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2010-2-26 808448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-26 135664]
S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2010-2-26 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-14 34448]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2011-04-04 21:08:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:08:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-01 17:42:58 16856 ------w- c:\program files\mozilla firefox\plugin-container.exe
2011-04-01 17:42:53 719832 ------w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-29 17:25:16 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Deployment
.
==================== Find3M ====================
.
2011-02-18 15:35:11 38400 ----a-w- c:\windows\system32\bilmux2.dll
2011-02-05 19:12:00 38400 ----a-w- c:\windows\system32\gvqrn4.dll
2011-02-04 17:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 17:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-06-02 04:22:02 89944 ----a-w- c:\program files\DSETUP.dll
2010-06-02 04:22:02 537432 ----a-w- c:\program files\DXSETUP.exe
2010-06-02 04:22:02 1801048 ----a-w- c:\program files\dsetup32.dll
.
============= FINISH: 17:43:00.84 ===============
Thanks again.
shelf life
2011-04-06, 02:59
After you ran Malwarebytes did you reboot your computer?
"When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*"
I dont see a resident antivirus. do you have a updated AV installed on your machine?
That's right. I do not have any AV.
I removed the selected and restarted my computer. As of yet, nothing seems to have changed. Is this expected?
Thanks.
shelf life
2011-04-06, 23:07
You need to get a AV app installed. These below are free or have free versions. download install, update and do a full scan with one of them:
How long have you been without AV? Its probably a good idea to use this computer as little as possible until we are sure its clean.
Avast (http://www.avast.com/free-antivirus-download)
MS security essentials (http://www.microsoft.com/en-us/security_essentials/default.aspx)
Avira (http://www.avira.com/en/for-home)
I removed the selected and restarted my computer. As of yet, nothing seems to have changed. Is this expected? Are you still getting re-directed?
If the malware was successfully removed by malwarebytes the first time and you reran malwarebytes the same items shouldnt show up again after the scan is done. Re run malwarebytes after you check for updates then do a full scan again. The results should be different or empty.
We will also get another download to use. There is a guide to read first, read through the guide then apply the directions on your own machine. Post the combofix log.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
So:
install and scan with AV
Re-run malwarebytes and check the results
read the combofix guide, then download and run combofix
I have been without AV for about a month.
I am still getting redirected, yes. It seems malwarebytes hasn't changed much and I have also tried hitmanpro but that has the same results it seems.
Here is the ComboFix log you requested;
ComboFix 11-04-08.01 - User 09/04/2011 22:39:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.552 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Cfix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Local Settings\Temporary Internet Files\bmp2CE.tmp
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Internet Explorer\IEXPLOREmgr.exe
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\lpe.txt
c:\windows\system32\qks.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
.
.
2011-04-09 21:20 . 2011-04-09 21:20 -------- d-----w- c:\program files\yoeecjes
2011-04-09 20:56 . 2011-04-09 21:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-09 20:56 . 2011-04-09 20:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-09 20:56 . 2011-04-09 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-04 21:08 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:08 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-01 17:42 . 2011-04-01 19:41 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-01 17:42 . 2011-04-01 19:41 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-29 17:25 . 2011-03-29 17:25 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Deployment
2011-03-27 01:08 . 2011-03-27 01:08 -------- d-sh--w- c:\documents and settings\KK\IECompatCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 17:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 17:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-02-26 11:58 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-26 11:58 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-06-02 04:22 . 2010-06-02 04:22 89944 ----a-w- c:\program files\DSETUP.dll
2010-06-02 04:22 . 2010-06-02 04:22 537432 ----a-w- c:\program files\DXSETUP.exe
2010-06-02 04:22 . 2010-06-02 04:22 1801048 ----a-w- c:\program files\dsetup32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-26 39408]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-26 135664]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-03-05 323392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-27 7561216]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58859:TCP"= 58859:TCP:Pando Media Booster
"58859:UDP"= 58859:UDP:Pando Media Booster
"5999:TCP"= 5999:TCP:spport
"8562:TCP"= 8562:TCP:spport
"12819:TCP"= 12819:TCP:spport
"25417:TCP"= 25417:TCP:spport
"21058:TCP"= 21058:TCP:spport
"27995:TCP"= 27995:TCP:spport
"5195:TCP"= 5195:TCP:spport
"29997:TCP"= 29997:TCP:spport
"28562:TCP"= 28562:TCP:spport
"13059:TCP"= 13059:TCP:spport
"13507:TCP"= 13507:TCP:spport
"10563:TCP"= 10563:TCP:spport
"25441:TCP"= 25441:TCP:spport
"17679:TCP"= 17679:TCP:spport
"29155:TCP"= 29155:TCP:spport
"20909:TCP"= 20909:TCP:spport
"13433:TCP"= 13433:TCP:spport
"20846:TCP"= 20846:TCP:spport
"9239:TCP"= 9239:TCP:spport
"11116:TCP"= 11116:TCP:spport
"22694:TCP"= 22694:TCP:spport
"20990:TCP"= 20990:TCP:spport
"5869:TCP"= 5869:TCP:spport
"24683:TCP"= 24683:TCP:spport
"8216:TCP"= 8216:TCP:spport
"5194:TCP"= 5194:TCP:spport
"8704:TCP"= 8704:TCP:spport
"5035:TCP"= 5035:TCP:spport
"22346:TCP"= 22346:TCP:spport
"16172:TCP"= 16172:TCP:spport
"15574:TCP"= 15574:TCP:spport
"18529:TCP"= 18529:TCP:spport
"27291:TCP"= 27291:TCP:spport
"21618:TCP"= 21618:TCP:spport
"29012:TCP"= 29012:TCP:spport
"26198:TCP"= 26198:TCP:spport
"7229:TCP"= 7229:TCP:spport
"11424:TCP"= 11424:TCP:spport
"27445:TCP"= 27445:TCP:spport
"13134:TCP"= 13134:TCP:spport
"6308:TCP"= 6308:TCP:spport
"18882:TCP"= 18882:TCP:spport
"12432:TCP"= 12432:TCP:spport
"12680:TCP"= 12680:TCP:spport
"8616:TCP"= 8616:TCP:spport
"7871:TCP"= 7871:TCP:spport
"29709:TCP"= 29709:TCP:spport
"7674:TCP"= 7674:TCP:spport
"6436:TCP"= 6436:TCP:spport
"27284:TCP"= 27284:TCP:spport
"23024:TCP"= 23024:TCP:spport
"10484:TCP"= 10484:TCP:spport
"17685:TCP"= 17685:TCP:spport
"13607:TCP"= 13607:TCP:spport
"7536:TCP"= 7536:TCP:spport
"19491:TCP"= 19491:TCP:spport
"27989:TCP"= 27989:TCP:spport
"28319:TCP"= 28319:TCP:spport
"6263:TCP"= 6263:TCP:spport
"14710:TCP"= 14710:TCP:spport
"12462:TCP"= 12462:TCP:spport
"12969:TCP"= 12969:TCP:spport
"27448:TCP"= 27448:TCP:spport
"8235:TCP"= 8235:TCP:spport
"7797:TCP"= 7797:TCP:spport
"11819:TCP"= 11819:TCP:spport
"7133:TCP"= 7133:TCP:spport
"25617:TCP"= 25617:TCP:spport
"26215:TCP"= 26215:TCP:spport
"18553:TCP"= 18553:TCP:spport
"6163:TCP"= 6163:TCP:spport
"27647:TCP"= 27647:TCP:spport
"11022:TCP"= 11022:TCP:spport
"23908:TCP"= 23908:TCP:spport
"29434:TCP"= 29434:TCP:spport
"17794:TCP"= 17794:TCP:spport
"26381:TCP"= 26381:TCP:spport
"26511:TCP"= 26511:TCP:spport
"26494:TCP"= 26494:TCP:spport
"22845:TCP"= 22845:TCP:spport
"16513:TCP"= 16513:TCP:spport
"6877:TCP"= 6877:TCP:spport
"19389:TCP"= 19389:TCP:spport
"27675:TCP"= 27675:TCP:spport
"18773:TCP"= 18773:TCP:spport
"23791:TCP"= 23791:TCP:spport
"8144:TCP"= 8144:TCP:spport
"12068:TCP"= 12068:TCP:spport
"16651:TCP"= 16651:TCP:spport
"12666:TCP"= 12666:TCP:spport
"29930:TCP"= 29930:TCP:spport
"22213:TCP"= 22213:TCP:spport
"5493:TCP"= 5493:TCP:spport
"5713:TCP"= 5713:TCP:spport
"20743:TCP"= 20743:TCP:spport
"27340:TCP"= 27340:TCP:spport
"21621:TCP"= 21621:TCP:spport
"20314:TCP"= 20314:TCP:spport
"10790:TCP"= 10790:TCP:spport
"13497:TCP"= 13497:TCP:spport
"23469:TCP"= 23469:TCP:spport
"22537:TCP"= 22537:TCP:spport
"10894:TCP"= 10894:TCP:spport
"29977:TCP"= 29977:TCP:spport
"21930:TCP"= 21930:TCP:spport
"29051:TCP"= 29051:TCP:spport
"23231:TCP"= 23231:TCP:spport
"17186:TCP"= 17186:TCP:spport
"28014:TCP"= 28014:TCP:spport
"25535:TCP"= 25535:TCP:spport
"12833:TCP"= 12833:TCP:spport
"16301:TCP"= 16301:TCP:spport
"8843:TCP"= 8843:TCP:spport
"6989:TCP"= 6989:TCP:spport
"14627:TCP"= 14627:TCP:spport
"19375:TCP"= 19375:TCP:spport
"5347:TCP"= 5347:TCP:spport
"9168:TCP"= 9168:TCP:spport
"21469:TCP"= 21469:TCP:spport
"16190:TCP"= 16190:TCP:spport
"27366:TCP"= 27366:TCP:spport
"25189:TCP"= 25189:TCP:spport
"13418:TCP"= 13418:TCP:spport
"24509:TCP"= 24509:TCP:spport
"8211:TCP"= 8211:TCP:spport
"6444:TCP"= 6444:TCP:spport
"28903:TCP"= 28903:TCP:spport
"23250:TCP"= 23250:TCP:spport
"7086:TCP"= 7086:TCP:spport
"8561:TCP"= 8561:TCP:spport
"16612:TCP"= 16612:TCP:spport
"25271:TCP"= 25271:TCP:spport
"24603:TCP"= 24603:TCP:spport
"20077:TCP"= 20077:TCP:spport
"24969:TCP"= 24969:TCP:spport
"7204:TCP"= 7204:TCP:spport
"23382:TCP"= 23382:TCP:spport
"25385:TCP"= 25385:TCP:spport
"20451:TCP"= 20451:TCP:spport
"18734:TCP"= 18734:TCP:spport
"10941:TCP"= 10941:TCP:spport
"25504:TCP"= 25504:TCP:spport
"29292:TCP"= 29292:TCP:spport
"15855:TCP"= 15855:TCP:spport
"26189:TCP"= 26189:TCP:spport
"26775:TCP"= 26775:TCP:spport
"15154:TCP"= 15154:TCP:spport
"10486:TCP"= 10486:TCP:spport
"27146:TCP"= 27146:TCP:spport
"27384:TCP"= 27384:TCP:spport
"9551:TCP"= 9551:TCP:spport
"28516:TCP"= 28516:TCP:spport
"9241:TCP"= 9241:TCP:spport
"24107:TCP"= 24107:TCP:spport
"7783:TCP"= 7783:TCP:spport
"26653:TCP"= 26653:TCP:spport
"26010:TCP"= 26010:TCP:spport
"10129:TCP"= 10129:TCP:spport
"12619:TCP"= 12619:TCP:spport
"11960:TCP"= 11960:TCP:spport
"10458:TCP"= 10458:TCP:spport
"28462:TCP"= 28462:TCP:spport
"27884:TCP"= 27884:TCP:spport
"22776:TCP"= 22776:TCP:spport
"17559:TCP"= 17559:TCP:spport
"7848:TCP"= 7848:TCP:spport
"25230:TCP"= 25230:TCP:spport
"27033:TCP"= 27033:TCP:spport
"21615:TCP"= 21615:TCP:spport
"24579:TCP"= 24579:TCP:spport
"6548:TCP"= 6548:TCP:spport
"13666:TCP"= 13666:TCP:spport
"29128:TCP"= 29128:TCP:spport
"29225:TCP"= 29225:TCP:spport
"10449:TCP"= 10449:TCP:spport
"9622:TCP"= 9622:TCP:spport
"16202:TCP"= 16202:TCP:spport
"29486:TCP"= 29486:TCP:spport
"13348:TCP"= 13348:TCP:spport
"10803:TCP"= 10803:TCP:spport
"11881:TCP"= 11881:TCP:spport
"17663:TCP"= 17663:TCP:spport
"13534:TCP"= 13534:TCP:spport
"16691:TCP"= 16691:TCP:spport
"17112:TCP"= 17112:TCP:spport
"25967:TCP"= 25967:TCP:spport
"28881:TCP"= 28881:TCP:spport
"18578:TCP"= 18578:TCP:spport
"19506:TCP"= 19506:TCP:spport
"12842:TCP"= 12842:TCP:spport
"13761:TCP"= 13761:TCP:spport
"15477:TCP"= 15477:TCP:spport
"8948:TCP"= 8948:TCP:spport
"19301:TCP"= 19301:TCP:spport
"21929:TCP"= 21929:TCP:spport
"29098:TCP"= 29098:TCP:spport
"16121:TCP"= 16121:TCP:spport
"27532:TCP"= 27532:TCP:spport
"7594:TCP"= 7594:TCP:spport
"15809:TCP"= 15809:TCP:spport
"11724:TCP"= 11724:TCP:spport
"28589:TCP"= 28589:TCP:spport
"26463:TCP"= 26463:TCP:spport
"9516:TCP"= 9516:TCP:spport
"7259:TCP"= 7259:TCP:spport
"6773:TCP"= 6773:TCP:spport
"22330:TCP"= 22330:TCP:spport
"6454:TCP"= 6454:TCP:spport
"20214:TCP"= 20214:TCP:spport
"11018:TCP"= 11018:TCP:spport
"25427:TCP"= 25427:TCP:spport
"8904:TCP"= 8904:TCP:spport
"8347:TCP"= 8347:TCP:spport
"13192:TCP"= 13192:TCP:spport
"19974:TCP"= 19974:TCP:spport
"27344:TCP"= 27344:TCP:spport
"18525:TCP"= 18525:TCP:spport
"13088:TCP"= 13088:TCP:spport
"21475:TCP"= 21475:TCP:spport
"25835:TCP"= 25835:TCP:spport
"12725:TCP"= 12725:TCP:spport
"27904:TCP"= 27904:TCP:spport
"6767:TCP"= 6767:TCP:spport
"14717:TCP"= 14717:TCP:spport
"6387:TCP"= 6387:TCP:spport
"28106:TCP"= 28106:TCP:spport
"22645:TCP"= 22645:TCP:spport
"15306:TCP"= 15306:TCP:spport
"18013:TCP"= 18013:TCP:spport
"19363:TCP"= 19363:TCP:spport
"8872:TCP"= 8872:TCP:spport
"18837:TCP"= 18837:TCP:spport
"29687:TCP"= 29687:TCP:spport
"29920:TCP"= 29920:TCP:spport
"20354:TCP"= 20354:TCP:spport
"28158:TCP"= 28158:TCP:spport
"27805:TCP"= 27805:TCP:spport
"18615:TCP"= 18615:TCP:spport
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"11457:TCP"= 11457:TCP:spport
"27047:TCP"= 27047:TCP:spport
"15468:TCP"= 15468:TCP:spport
"24178:TCP"= 24178:TCP:spport
"23769:TCP"= 23769:TCP:spport
"28085:TCP"= 28085:TCP:spport
"22729:TCP"= 22729:TCP:spport
"8263:TCP"= 8263:TCP:spport
"18334:TCP"= 18334:TCP:spport
"14499:TCP"= 14499:TCP:spport
"15181:TCP"= 15181:TCP:spport
"15918:TCP"= 15918:TCP:spport
"9975:TCP"= 9975:TCP:spport
"8537:TCP"= 8537:TCP:spport
"10962:TCP"= 10962:TCP:spport
"15357:TCP"= 15357:TCP:spport
"5972:TCP"= 5972:TCP:spport
"21380:TCP"= 21380:TCP:spport
"18136:TCP"= 18136:TCP:spport
"12792:TCP"= 12792:TCP:spport
"19789:TCP"= 19789:TCP:spport
"16958:TCP"= 16958:TCP:spport
"7798:TCP"= 7798:TCP:spport
"21918:TCP"= 21918:TCP:spport
"9768:TCP"= 9768:TCP:spport
"12557:TCP"= 12557:TCP:spport
"12780:TCP"= 12780:TCP:spport
"11090:TCP"= 11090:TCP:spport
"9546:TCP"= 9546:TCP:spport
"17289:TCP"= 17289:TCP:spport
"10958:TCP"= 10958:TCP:spport
"12776:TCP"= 12776:TCP:spport
"19900:TCP"= 19900:TCP:spport
"21490:TCP"= 21490:TCP:spport
"20459:TCP"= 20459:TCP:spport
"7109:TCP"= 7109:TCP:spport
"26962:TCP"= 26962:TCP:spport
"25636:TCP"= 25636:TCP:spport
"17902:TCP"= 17902:TCP:spport
"20853:TCP"= 20853:TCP:spport
"8500:TCP"= 8500:TCP:spport
"7150:TCP"= 7150:TCP:spport
"17498:TCP"= 17498:TCP:spport
"6287:TCP"= 6287:TCP:spport
"6078:TCP"= 6078:TCP:spport
"15719:TCP"= 15719:TCP:spport
"20286:TCP"= 20286:TCP:spport
"9441:TCP"= 9441:TCP:spport
"23985:TCP"= 23985:TCP:spport
"16741:TCP"= 16741:TCP:spport
"21097:TCP"= 21097:TCP:spport
"24297:TCP"= 24297:TCP:spport
"26331:TCP"= 26331:TCP:spport
"22803:TCP"= 22803:TCP:spport
"10550:TCP"= 10550:TCP:spport
"18757:TCP"= 18757:TCP:spport
"25030:TCP"= 25030:TCP:spport
"17817:TCP"= 17817:TCP:spport
"7699:TCP"= 7699:TCP:spport
"29746:TCP"= 29746:TCP:spport
"7656:TCP"= 7656:TCP:spport
"6664:TCP"= 6664:TCP:spport
"29061:TCP"= 29061:TCP:spport
"7988:TCP"= 7988:TCP:spport
"8955:TCP"= 8955:TCP:spport
"26578:TCP"= 26578:TCP:spport
"5164:TCP"= 5164:TCP:spport
"26228:TCP"= 26228:TCP:spport
"27680:TCP"= 27680:TCP:spport
"28963:TCP"= 28963:TCP:spport
"8604:TCP"= 8604:TCP:spport
"20881:TCP"= 20881:TCP:spport
"12369:TCP"= 12369:TCP:spport
"7123:TCP"= 7123:TCP:spport
"22671:TCP"= 22671:TCP:spport
"28325:TCP"= 28325:TCP:spport
"8679:TCP"= 8679:TCP:spport
"11131:TCP"= 11131:TCP:spport
"28952:TCP"= 28952:TCP:spport
"10712:TCP"= 10712:TCP:spport
"12927:TCP"= 12927:TCP:spport
"5356:TCP"= 5356:TCP:spport
"5608:TCP"= 5608:TCP:spport
"9802:TCP"= 9802:TCP:spport
"26270:TCP"= 26270:TCP:spport
"20754:TCP"= 20754:TCP:spport
"19331:TCP"= 19331:TCP:spport
"20763:TCP"= 20763:TCP:spport
"27248:TCP"= 27248:TCP:spport
"26180:TCP"= 26180:TCP:spport
"27084:TCP"= 27084:TCP:spport
"15790:TCP"= 15790:TCP:spport
"16145:TCP"= 16145:TCP:spport
"21310:TCP"= 21310:TCP:spport
"6597:TCP"= 6597:TCP:spport
"20032:TCP"= 20032:TCP:spport
"22009:TCP"= 22009:TCP:spport
"20566:TCP"= 20566:TCP:spport
"13222:TCP"= 13222:TCP:spport
"17203:TCP"= 17203:TCP:spport
"16024:TCP"= 16024:TCP:spport
"17352:TCP"= 17352:TCP:spport
"10974:TCP"= 10974:TCP:spport
"17411:TCP"= 17411:TCP:spport
"10112:TCP"= 10112:TCP:spport
"5241:TCP"= 5241:TCP:spport
"26776:TCP"= 26776:TCP:spport
"19095:TCP"= 19095:TCP:spport
"6685:TCP"= 6685:TCP:spport
"8825:TCP"= 8825:TCP:spport
"18064:TCP"= 18064:TCP:spport
"26518:TCP"= 26518:TCP:spport
"12155:TCP"= 12155:TCP:spport
"29663:TCP"= 29663:TCP:spport
"12837:TCP"= 12837:TCP:spport
"1730:TCP"= 1730:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [28/04/2010 19:01 33824]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 13:00 14336]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [28/01/2011 18:10 387072]
R2 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [26/01/2011 17:29 1175556]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [07/04/2010 01:56 20968]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [09/04/2011 21:56 16968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [26/02/2010 13:45 808448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/02/2010 18:41 135664]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [26/02/2010 13:35 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [14/11/2007 20:40 34448]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 14:37 517096]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO35
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-02-28 c:\windows\Tasks\broadcamShakeIcon.job
- c:\program files\NCH Software\BroadCam\broadcam.exe [2011-01-26 16:29]
.
2011-04-09 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-01-26 16:27]
.
2011-04-01 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-29 19:14]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006Core.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006UA.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-09 c:\windows\Tasks\Norton Security Scan for KK.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-11 10:06]
.
2011-04-09 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 22:44]
.
2010-12-21 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2010-12-21 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{D56C9F74-29EA-4B9F-9DBE-3F18F45461D5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
2011-02-26 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
2011-03-22 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ywwca10i.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE
SafeBoot-klmdb.sys
AddRemove-MSN Sniffer 2 - c:\progra~1\MSNSNI~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-09 22:47
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\User\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-09 22:49:34
ComboFix-quarantined-files.txt 2011-04-09 21:49
.
Pre-Run: 26,036,400,128 bytes free
Post-Run: 29,989,081,088 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8BD7B3F57C74069D2291187E040FBF68
Thanks alot.
shelf life
2011-04-09, 00:41
Until its clean you should use this computer as little as possible and when not in use it should have no connectivity, If your not sure how to stop the connectivity then I would power it off.
Pretty sure you have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.
The best source for information on how to do this would be the computer manufacturers website.
To clean up the machine with current utilities proceed as follows:
-------------------------------
I know you ran tdsskiller once, delete that icon and get a new copy. Post the log even if it finds nothing:
1) Please download TDSS Killer.exe and save it to your desktop
TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)
Double click to launch the utility. After it initializes click the start scan button.
Once the scan completes you can click the continue button.
"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."
"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might require after disinfection."
A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)
Please post the log report
2) Please download aswMBR to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe
* Double click the aswMBR icon to run it. A window will open
* Click the SCAN button to start scan. When its done will say: "scan finished successfully"
* Next press the SAVE LOG button, save the logfile to your desktop and post its contents in your next reply. Click the EXIT button to close.
Did you get Antivirus yet?
After you run the two utilities above you can use combofix:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
c:\documents and settings\User\Start Menu\Programs\Startup\huvqmjng.exe
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log as well as the two logs from above
TDSSkiller found nothing.
Here is the combofix / CFscipt log:
ComboFix 11-04-08.03 - KK 10/04/2011 18:14:25.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.565 [GMT 1:00]
Running from: c:\documents and settings\KK\Desktop\ComboFixx.exe
Command switches used :: c:\documents and settings\KK\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\IEXPLOREmgr.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
.
.
2011-04-10 14:45 . 2011-04-10 14:45 -------- d-----w- c:\program files\Microsoft
2011-04-09 21:20 . 2011-04-10 16:53 -------- d-----w- c:\program files\yoeecjes
2011-04-09 20:56 . 2011-04-09 21:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-09 20:56 . 2011-04-09 20:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-09 20:56 . 2011-04-09 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-04 21:08 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:08 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-01 17:42 . 2011-04-01 19:41 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-01 17:42 . 2011-04-01 19:41 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-27 01:08 . 2011-03-27 01:08 -------- d-sh--w- c:\documents and settings\KK\IECompatCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 17:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 17:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-02-26 11:58 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-26 11:58 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-06-02 04:22 . 2010-06-02 04:22 89944 ----a-w- c:\program files\DSETUP.dll
2010-06-02 04:22 . 2010-06-02 04:22 537432 ----a-w- c:\program files\DXSETUP.exe
2010-06-02 04:22 . 2010-06-02 04:22 1801048 ----a-w- c:\program files\dsetup32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-09_21.47.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-10 16:55 . 2011-04-10 16:55 16384 c:\windows\Temp\Perflib_Perfdata_7f8.dat
+ 2011-04-10 16:55 . 2011-04-10 16:55 16384 c:\windows\Temp\Perflib_Perfdata_224.dat
+ 2010-04-16 21:12 . 2010-04-16 21:12 48464 c:\windows\system32\sirenacm.dll
+ 2011-04-10 14:44 . 2011-04-10 14:44 27136 c:\windows\Installer\6f373.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 83456 c:\windows\Installer\6f369.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 58880 c:\windows\Installer\6f364.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 61272 c:\windows\Installer\{E6158D07-2637-4ECF-B576-37C489669174}\IconWlc.exe
+ 2011-04-10 14:45 . 2011-04-10 14:45 80395 c:\windows\Installer\{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}\MsblIco.Exe
+ 2011-04-10 14:45 . 2011-04-10 14:45 429056 c:\windows\Installer\6f37e.msi
+ 2011-04-10 14:45 . 2011-04-10 14:45 155648 c:\windows\Installer\6f378.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 149504 c:\windows\Installer\6f36e.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 107008 c:\windows\Installer\6f35f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-26 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Google Update"="c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-19 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-27 7561216]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58859:TCP"= 58859:TCP:Pando Media Booster
"58859:UDP"= 58859:UDP:Pando Media Booster
"5999:TCP"= 5999:TCP:spport
"8562:TCP"= 8562:TCP:spport
"12819:TCP"= 12819:TCP:spport
"25417:TCP"= 25417:TCP:spport
"21058:TCP"= 21058:TCP:spport
"27995:TCP"= 27995:TCP:spport
"5195:TCP"= 5195:TCP:spport
"29997:TCP"= 29997:TCP:spport
"28562:TCP"= 28562:TCP:spport
"13059:TCP"= 13059:TCP:spport
"13507:TCP"= 13507:TCP:spport
"10563:TCP"= 10563:TCP:spport
"25441:TCP"= 25441:TCP:spport
"17679:TCP"= 17679:TCP:spport
"29155:TCP"= 29155:TCP:spport
"20909:TCP"= 20909:TCP:spport
"13433:TCP"= 13433:TCP:spport
"20846:TCP"= 20846:TCP:spport
"9239:TCP"= 9239:TCP:spport
"11116:TCP"= 11116:TCP:spport
"22694:TCP"= 22694:TCP:spport
"20990:TCP"= 20990:TCP:spport
"5869:TCP"= 5869:TCP:spport
"24683:TCP"= 24683:TCP:spport
"8216:TCP"= 8216:TCP:spport
"5194:TCP"= 5194:TCP:spport
"8704:TCP"= 8704:TCP:spport
"5035:TCP"= 5035:TCP:spport
"22346:TCP"= 22346:TCP:spport
"16172:TCP"= 16172:TCP:spport
"15574:TCP"= 15574:TCP:spport
"18529:TCP"= 18529:TCP:spport
"27291:TCP"= 27291:TCP:spport
"21618:TCP"= 21618:TCP:spport
"29012:TCP"= 29012:TCP:spport
"26198:TCP"= 26198:TCP:spport
"7229:TCP"= 7229:TCP:spport
"11424:TCP"= 11424:TCP:spport
"27445:TCP"= 27445:TCP:spport
"13134:TCP"= 13134:TCP:spport
"6308:TCP"= 6308:TCP:spport
"18882:TCP"= 18882:TCP:spport
"12432:TCP"= 12432:TCP:spport
"12680:TCP"= 12680:TCP:spport
"8616:TCP"= 8616:TCP:spport
"7871:TCP"= 7871:TCP:spport
"29709:TCP"= 29709:TCP:spport
"7674:TCP"= 7674:TCP:spport
"6436:TCP"= 6436:TCP:spport
"27284:TCP"= 27284:TCP:spport
"23024:TCP"= 23024:TCP:spport
"10484:TCP"= 10484:TCP:spport
"17685:TCP"= 17685:TCP:spport
"13607:TCP"= 13607:TCP:spport
"7536:TCP"= 7536:TCP:spport
"19491:TCP"= 19491:TCP:spport
"27989:TCP"= 27989:TCP:spport
"28319:TCP"= 28319:TCP:spport
"6263:TCP"= 6263:TCP:spport
"14710:TCP"= 14710:TCP:spport
"12462:TCP"= 12462:TCP:spport
"12969:TCP"= 12969:TCP:spport
"27448:TCP"= 27448:TCP:spport
"8235:TCP"= 8235:TCP:spport
"7797:TCP"= 7797:TCP:spport
"11819:TCP"= 11819:TCP:spport
"7133:TCP"= 7133:TCP:spport
"25617:TCP"= 25617:TCP:spport
"26215:TCP"= 26215:TCP:spport
"18553:TCP"= 18553:TCP:spport
"6163:TCP"= 6163:TCP:spport
"27647:TCP"= 27647:TCP:spport
"11022:TCP"= 11022:TCP:spport
"23908:TCP"= 23908:TCP:spport
"29434:TCP"= 29434:TCP:spport
"17794:TCP"= 17794:TCP:spport
"26381:TCP"= 26381:TCP:spport
"26511:TCP"= 26511:TCP:spport
"26494:TCP"= 26494:TCP:spport
"22845:TCP"= 22845:TCP:spport
"16513:TCP"= 16513:TCP:spport
"6877:TCP"= 6877:TCP:spport
"19389:TCP"= 19389:TCP:spport
"27675:TCP"= 27675:TCP:spport
"18773:TCP"= 18773:TCP:spport
"23791:TCP"= 23791:TCP:spport
"8144:TCP"= 8144:TCP:spport
"12068:TCP"= 12068:TCP:spport
"16651:TCP"= 16651:TCP:spport
"12666:TCP"= 12666:TCP:spport
"29930:TCP"= 29930:TCP:spport
"22213:TCP"= 22213:TCP:spport
"5493:TCP"= 5493:TCP:spport
"5713:TCP"= 5713:TCP:spport
"20743:TCP"= 20743:TCP:spport
"27340:TCP"= 27340:TCP:spport
"21621:TCP"= 21621:TCP:spport
"20314:TCP"= 20314:TCP:spport
"10790:TCP"= 10790:TCP:spport
"13497:TCP"= 13497:TCP:spport
"23469:TCP"= 23469:TCP:spport
"22537:TCP"= 22537:TCP:spport
"10894:TCP"= 10894:TCP:spport
"29977:TCP"= 29977:TCP:spport
"21930:TCP"= 21930:TCP:spport
"29051:TCP"= 29051:TCP:spport
"23231:TCP"= 23231:TCP:spport
"17186:TCP"= 17186:TCP:spport
"28014:TCP"= 28014:TCP:spport
"25535:TCP"= 25535:TCP:spport
"12833:TCP"= 12833:TCP:spport
"16301:TCP"= 16301:TCP:spport
"8843:TCP"= 8843:TCP:spport
"6989:TCP"= 6989:TCP:spport
"14627:TCP"= 14627:TCP:spport
"19375:TCP"= 19375:TCP:spport
"5347:TCP"= 5347:TCP:spport
"9168:TCP"= 9168:TCP:spport
"21469:TCP"= 21469:TCP:spport
"16190:TCP"= 16190:TCP:spport
"27366:TCP"= 27366:TCP:spport
"25189:TCP"= 25189:TCP:spport
"13418:TCP"= 13418:TCP:spport
"24509:TCP"= 24509:TCP:spport
"8211:TCP"= 8211:TCP:spport
"6444:TCP"= 6444:TCP:spport
"28903:TCP"= 28903:TCP:spport
"23250:TCP"= 23250:TCP:spport
"7086:TCP"= 7086:TCP:spport
"8561:TCP"= 8561:TCP:spport
"16612:TCP"= 16612:TCP:spport
"25271:TCP"= 25271:TCP:spport
"24603:TCP"= 24603:TCP:spport
"20077:TCP"= 20077:TCP:spport
"24969:TCP"= 24969:TCP:spport
"7204:TCP"= 7204:TCP:spport
"23382:TCP"= 23382:TCP:spport
"25385:TCP"= 25385:TCP:spport
"20451:TCP"= 20451:TCP:spport
"18734:TCP"= 18734:TCP:spport
"10941:TCP"= 10941:TCP:spport
"25504:TCP"= 25504:TCP:spport
"29292:TCP"= 29292:TCP:spport
"15855:TCP"= 15855:TCP:spport
"26189:TCP"= 26189:TCP:spport
"26775:TCP"= 26775:TCP:spport
"15154:TCP"= 15154:TCP:spport
"10486:TCP"= 10486:TCP:spport
"27146:TCP"= 27146:TCP:spport
"27384:TCP"= 27384:TCP:spport
"9551:TCP"= 9551:TCP:spport
"28516:TCP"= 28516:TCP:spport
"9241:TCP"= 9241:TCP:spport
"24107:TCP"= 24107:TCP:spport
"7783:TCP"= 7783:TCP:spport
"26653:TCP"= 26653:TCP:spport
"26010:TCP"= 26010:TCP:spport
"10129:TCP"= 10129:TCP:spport
"12619:TCP"= 12619:TCP:spport
"11960:TCP"= 11960:TCP:spport
"10458:TCP"= 10458:TCP:spport
"28462:TCP"= 28462:TCP:spport
"27884:TCP"= 27884:TCP:spport
"22776:TCP"= 22776:TCP:spport
"17559:TCP"= 17559:TCP:spport
"7848:TCP"= 7848:TCP:spport
"25230:TCP"= 25230:TCP:spport
"27033:TCP"= 27033:TCP:spport
"21615:TCP"= 21615:TCP:spport
"24579:TCP"= 24579:TCP:spport
"6548:TCP"= 6548:TCP:spport
"13666:TCP"= 13666:TCP:spport
"29128:TCP"= 29128:TCP:spport
"29225:TCP"= 29225:TCP:spport
"10449:TCP"= 10449:TCP:spport
"9622:TCP"= 9622:TCP:spport
"16202:TCP"= 16202:TCP:spport
"29486:TCP"= 29486:TCP:spport
"13348:TCP"= 13348:TCP:spport
"10803:TCP"= 10803:TCP:spport
"11881:TCP"= 11881:TCP:spport
"17663:TCP"= 17663:TCP:spport
"13534:TCP"= 13534:TCP:spport
"16691:TCP"= 16691:TCP:spport
"17112:TCP"= 17112:TCP:spport
"25967:TCP"= 25967:TCP:spport
"28881:TCP"= 28881:TCP:spport
"18578:TCP"= 18578:TCP:spport
"19506:TCP"= 19506:TCP:spport
"12842:TCP"= 12842:TCP:spport
"13761:TCP"= 13761:TCP:spport
"15477:TCP"= 15477:TCP:spport
"8948:TCP"= 8948:TCP:spport
"19301:TCP"= 19301:TCP:spport
"21929:TCP"= 21929:TCP:spport
"29098:TCP"= 29098:TCP:spport
"16121:TCP"= 16121:TCP:spport
"27532:TCP"= 27532:TCP:spport
"7594:TCP"= 7594:TCP:spport
"15809:TCP"= 15809:TCP:spport
"11724:TCP"= 11724:TCP:spport
"28589:TCP"= 28589:TCP:spport
"26463:TCP"= 26463:TCP:spport
"9516:TCP"= 9516:TCP:spport
"7259:TCP"= 7259:TCP:spport
"6773:TCP"= 6773:TCP:spport
"22330:TCP"= 22330:TCP:spport
"6454:TCP"= 6454:TCP:spport
"20214:TCP"= 20214:TCP:spport
"11018:TCP"= 11018:TCP:spport
"25427:TCP"= 25427:TCP:spport
"8904:TCP"= 8904:TCP:spport
"8347:TCP"= 8347:TCP:spport
"13192:TCP"= 13192:TCP:spport
"19974:TCP"= 19974:TCP:spport
"27344:TCP"= 27344:TCP:spport
"18525:TCP"= 18525:TCP:spport
"13088:TCP"= 13088:TCP:spport
"21475:TCP"= 21475:TCP:spport
"25835:TCP"= 25835:TCP:spport
"12725:TCP"= 12725:TCP:spport
"27904:TCP"= 27904:TCP:spport
"6767:TCP"= 6767:TCP:spport
"14717:TCP"= 14717:TCP:spport
"6387:TCP"= 6387:TCP:spport
"28106:TCP"= 28106:TCP:spport
"22645:TCP"= 22645:TCP:spport
"15306:TCP"= 15306:TCP:spport
"18013:TCP"= 18013:TCP:spport
"19363:TCP"= 19363:TCP:spport
"8872:TCP"= 8872:TCP:spport
"18837:TCP"= 18837:TCP:spport
"29687:TCP"= 29687:TCP:spport
"29920:TCP"= 29920:TCP:spport
"20354:TCP"= 20354:TCP:spport
"28158:TCP"= 28158:TCP:spport
"27805:TCP"= 27805:TCP:spport
"18615:TCP"= 18615:TCP:spport
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"11457:TCP"= 11457:TCP:spport
"27047:TCP"= 27047:TCP:spport
"15468:TCP"= 15468:TCP:spport
"24178:TCP"= 24178:TCP:spport
"23769:TCP"= 23769:TCP:spport
"28085:TCP"= 28085:TCP:spport
"22729:TCP"= 22729:TCP:spport
"8263:TCP"= 8263:TCP:spport
"18334:TCP"= 18334:TCP:spport
"14499:TCP"= 14499:TCP:spport
"15181:TCP"= 15181:TCP:spport
"15918:TCP"= 15918:TCP:spport
"9975:TCP"= 9975:TCP:spport
"8537:TCP"= 8537:TCP:spport
"10962:TCP"= 10962:TCP:spport
"15357:TCP"= 15357:TCP:spport
"5972:TCP"= 5972:TCP:spport
"21380:TCP"= 21380:TCP:spport
"18136:TCP"= 18136:TCP:spport
"12792:TCP"= 12792:TCP:spport
"19789:TCP"= 19789:TCP:spport
"16958:TCP"= 16958:TCP:spport
"7798:TCP"= 7798:TCP:spport
"21918:TCP"= 21918:TCP:spport
"9768:TCP"= 9768:TCP:spport
"12557:TCP"= 12557:TCP:spport
"12780:TCP"= 12780:TCP:spport
"11090:TCP"= 11090:TCP:spport
"9546:TCP"= 9546:TCP:spport
"17289:TCP"= 17289:TCP:spport
"10958:TCP"= 10958:TCP:spport
"12776:TCP"= 12776:TCP:spport
"19900:TCP"= 19900:TCP:spport
"21490:TCP"= 21490:TCP:spport
"20459:TCP"= 20459:TCP:spport
"7109:TCP"= 7109:TCP:spport
"26962:TCP"= 26962:TCP:spport
"25636:TCP"= 25636:TCP:spport
"17902:TCP"= 17902:TCP:spport
"20853:TCP"= 20853:TCP:spport
"8500:TCP"= 8500:TCP:spport
"7150:TCP"= 7150:TCP:spport
"17498:TCP"= 17498:TCP:spport
"6287:TCP"= 6287:TCP:spport
"6078:TCP"= 6078:TCP:spport
"15719:TCP"= 15719:TCP:spport
"20286:TCP"= 20286:TCP:spport
"9441:TCP"= 9441:TCP:spport
"23985:TCP"= 23985:TCP:spport
"16741:TCP"= 16741:TCP:spport
"21097:TCP"= 21097:TCP:spport
"24297:TCP"= 24297:TCP:spport
"26331:TCP"= 26331:TCP:spport
"22803:TCP"= 22803:TCP:spport
"10550:TCP"= 10550:TCP:spport
"18757:TCP"= 18757:TCP:spport
"25030:TCP"= 25030:TCP:spport
"17817:TCP"= 17817:TCP:spport
"7699:TCP"= 7699:TCP:spport
"29746:TCP"= 29746:TCP:spport
"7656:TCP"= 7656:TCP:spport
"6664:TCP"= 6664:TCP:spport
"29061:TCP"= 29061:TCP:spport
"7988:TCP"= 7988:TCP:spport
"8955:TCP"= 8955:TCP:spport
"26578:TCP"= 26578:TCP:spport
"5164:TCP"= 5164:TCP:spport
"26228:TCP"= 26228:TCP:spport
"27680:TCP"= 27680:TCP:spport
"28963:TCP"= 28963:TCP:spport
"8604:TCP"= 8604:TCP:spport
"20881:TCP"= 20881:TCP:spport
"12369:TCP"= 12369:TCP:spport
"7123:TCP"= 7123:TCP:spport
"22671:TCP"= 22671:TCP:spport
"28325:TCP"= 28325:TCP:spport
"8679:TCP"= 8679:TCP:spport
"11131:TCP"= 11131:TCP:spport
"28952:TCP"= 28952:TCP:spport
"10712:TCP"= 10712:TCP:spport
"12927:TCP"= 12927:TCP:spport
"5356:TCP"= 5356:TCP:spport
"5608:TCP"= 5608:TCP:spport
"9802:TCP"= 9802:TCP:spport
"26270:TCP"= 26270:TCP:spport
"20754:TCP"= 20754:TCP:spport
"19331:TCP"= 19331:TCP:spport
"20763:TCP"= 20763:TCP:spport
"27248:TCP"= 27248:TCP:spport
"26180:TCP"= 26180:TCP:spport
"27084:TCP"= 27084:TCP:spport
"15790:TCP"= 15790:TCP:spport
"16145:TCP"= 16145:TCP:spport
"21310:TCP"= 21310:TCP:spport
"6597:TCP"= 6597:TCP:spport
"20032:TCP"= 20032:TCP:spport
"22009:TCP"= 22009:TCP:spport
"20566:TCP"= 20566:TCP:spport
"13222:TCP"= 13222:TCP:spport
"17203:TCP"= 17203:TCP:spport
"16024:TCP"= 16024:TCP:spport
"17352:TCP"= 17352:TCP:spport
"10974:TCP"= 10974:TCP:spport
"17411:TCP"= 17411:TCP:spport
"10112:TCP"= 10112:TCP:spport
"5241:TCP"= 5241:TCP:spport
"26776:TCP"= 26776:TCP:spport
"19095:TCP"= 19095:TCP:spport
"6685:TCP"= 6685:TCP:spport
"8825:TCP"= 8825:TCP:spport
"18064:TCP"= 18064:TCP:spport
"26518:TCP"= 26518:TCP:spport
"12155:TCP"= 12155:TCP:spport
"29663:TCP"= 29663:TCP:spport
"12837:TCP"= 12837:TCP:spport
"1371:TCP"= 1371:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [28/04/2010 19:01 33824]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 13:00 14336]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [28/01/2011 18:10 387072]
R2 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [26/01/2011 17:29 1175556]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [07/04/2010 01:56 20968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [26/02/2010 13:45 808448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/02/2010 18:41 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [09/04/2011 21:56 16968]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [26/02/2010 13:35 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [14/11/2007 20:40 34448]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 14:37 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-02-28 c:\windows\Tasks\broadcamShakeIcon.job
- c:\program files\NCH Software\BroadCam\broadcam.exe [2011-01-26 16:29]
.
2011-04-10 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-01-26 16:27]
.
2011-04-01 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-29 19:14]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006Core.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006UA.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-09 c:\windows\Tasks\Norton Security Scan for KK.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-11 10:06]
.
2011-04-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 22:44]
.
2010-12-21 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2010-12-21 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2011-04-10 c:\windows\Tasks\User_Feed_Synchronization-{D56C9F74-29EA-4B9F-9DBE-3F18F45461D5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
2011-02-26 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
2011-03-22 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\KK\Application Data\Mozilla\Firefox\Profiles\ncyirpo3.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-10 18:19
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\KK\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-10 18:21:06
ComboFix-quarantined-files.txt 2011-04-10 17:21
ComboFix2.txt 2011-04-10 16:51
ComboFix3.txt 2011-04-09 21:49
.
Pre-Run: 29,752,225,792 bytes free
Post-Run: 29,752,573,952 bytes free
.
- - End Of File - - C4BF9A8A62270144E74F0026FBDC8C71
Thanks.
shelf life
2011-04-10, 00:39
Did you run aswMBR? Please post the tdsskiller log even if it didnt find anything. why are you renaming combofix? Did you get a AV installed?
download catchme (http://www2.gmer.net/catchme.htm) to your desktop.
Double click the catchme.exe to run it
Click the "Scan" button to start scan.
It will generate a catchme log on your desktop.
Copy/paste the contents of the log in your reply
I renamed combofix to combofixx because it said to rename it. I think I downloaded it before but forgot I had it. Sorry, I did, here is the aswMBR log:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-10 17:26:43
-----------------------------
17:26:43.453 OS Version: Windows 5.1.2600 Service Pack 3
17:26:43.453 Number of processors: 2 586 0xF06
17:26:43.453 ComputerName: TODD-416FE847D9 UserName: User
17:26:45.546 Initialize success
17:26:55.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:26:55.296 Disk 0 Vendor: ST9120817AS 3.AAA Size: 114473MB BusType: 3
17:26:55.296 Disk 1 \Device\Harddisk1\DR2 -> \Device\0000008d
17:26:55.296 Disk 1 Vendor: ( Size: 114473MB BusType: 0
17:26:57.343 Disk 0 MBR read successfully
17:26:57.343 Disk 0 MBR scan
17:26:59.343 Disk 0 scanning sectors +234436545
17:26:59.406 Disk 0 scanning C:\WINDOWS\system32\drivers
17:27:07.578 Service scanning
17:27:08.937 Disk 0 trace - called modules:
17:27:08.937
17:27:08.937 Scan finished successfully
TDSSKiller doesn't give me a log? Here is a screenshot of what I get:
http://i52.tinypic.com/swtj6a.jpg
Catchme log:
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 17:32:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
C:\Documents and Settings\KK\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
C:\Documents and Settings\User\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
C:\Program Files\yoeecjes\huvqmjng.exe 153019 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3
Thanks.
shelf life
2011-04-10, 19:28
ok thanks for the info. dosnt look like a rootkit anymore. One more download to get.
download ZBot (http://downloads.novirusthanks.org/files/portables/zbot_remover.zip)
Its a zip file, there are two versions in the file. Extract ZbotV3 to your desktop. double click the ZbotV3Remover.exe icon to start, click the scan button.
hopefully you will see these listed as suspicious files;
C:\Documents and Settings\KK\Start Menu\Programs\Startup\huvqmjng.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\huvqmjng.exe
C:\Program Files\yoeecjes\huvqmjng.exe
If so select each one by checking the box. Then click delete and reboot at the prompt.
Should get a confirmation at start up if anything was removed.
This is what I get when I run ZbotV3Remover.exe:
http://i55.tinypic.com/2lxh7vn.png
The scan took about 1 second to complete.
shelf life
2011-04-10, 21:51
ok thanks. to help show all files do this:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
Next boot your computer into safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode. Log into your usual account, once at the safe mode desktop look for and manually delete these .exes if found: You might want to copy/paste whats below into notepad and save it so you can find it in safe mode:
C:\Documents and Settings\KK\Start Menu\Programs\Startup\huvqmjng.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\huvqmjng.exe
C:\Program Files\yoeecjes\huvqmjng.exe
May has well get these also while in safe mode: Delete what you can out of each folder (Edit, select all, file delete)
C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\
C:\Documents and Settings\-Your Profile-\Local Settings\Temp\
C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\
C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\
Click Start>Run then type %temp%
Hit OK. Delete all the files you can.
click Start>Run then type %windir%\temp
hit ok. delete all the files you can
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
I cleared all the temp files successfully. However, even with the hidden folders enabled and hide extensions unchecked, I still can't locate or see huvqmjng.exe - even in safe mode.
I can locate the program file yoeecjes but when I open it - there is nothing there.
Thanks.
shelf life
2011-04-11, 00:05
ok. check Malwarebytes for updates first, then boot back into safe mode and run malwarebytes and then combofix again, both in safe mode.