Good morning :)

Having a lot of difficulty with this malware. Am unable to submit to this forum from infected computer. Spybot reported fixed, but in fact did not.

DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 9:43:23.60 on Thu 05/05/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.274 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
c:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\Documents and Settings\Owner.ME-SMA9H3N14HJC\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: VMN Toolbar: {a057a204-bacc-4d26-8287-79a187e26987} - c:\progra~1\vmntoo~1\VMNTOO~1.DLL
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: VMN Toolbar: {a057a204-bacc-4d26-8287-79a187e26987} - c:\progra~1\vmntoo~1\VMNTOO~1.DLL
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [DeltTray] DeltTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
StartupFolder: c:\documents and settings\owner.me-sma9h3n14hjc\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206291371551
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: {2F462187-79D7-45F8-9F6F-EDC99AB31842} = 64.136.173.5 64.136.164.77
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner~1.me-\applic~1\mozilla\firefox\profiles\wle6gb8o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6E040L0 rev.NAR61590 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82F20730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f26a10]; MOV EAX, [0x82f26a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82FD0AB8]
3 CLASSPNP[0xF8778FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x82FA7170]
\Driver\atapi[0x82FD1030] -> IRP_MJ_CREATE -> 0x82F20730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F2057B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:45:20.54 ===============


Thanks in advance for any help you may give.

Hello jason2 and :snwelcome:
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

Please observe these rules while we work: Read the entire procedure It is important to perform ALL actions in sequence. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic. Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it. Remember, absence of symptoms does not mean the infection is all gone. Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.

Hello jason2
Please do the following:

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the**save log button, save it to your desktop and post it in your next reply.

Thanks for your help Bill.


aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-06 21:47:16
-----------------------------
21:47:16.140 OS Version: Windows 5.1.2600 Service Pack 3
21:47:16.140 Number of processors: 1 586 0x209
21:47:16.140 ComputerName: ME-SMA9H3N14HJC UserName: Owner
21:47:16.500 Initialize success
21:47:19.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:47:19.500 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 39205MB BusType: 3
21:47:19.500 Device \Driver\atapi -> DriverStartIo 82f2057b
21:47:21.500 Disk 0 MBR read successfully
21:47:21.500 Disk 0 MBR scan
21:47:21.500 Disk 0 TDL4@MBR code has been found
21:47:21.500 Disk 0 Windows XP default MBR code found via API
21:47:21.500 Disk 0 MBR hidden
21:47:21.500 Disk 0 MBR [TDL4] **ROOTKIT**
21:47:21.500 Disk 0 trace - called modules:
21:47:21.500 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82f20730]<<
21:47:21.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82fd0ab8]
21:47:21.500 3 CLASSPNP.SYS[f8778fd7] -> nt!IofCallDriver -> [0x82fadb80]
21:47:21.500 \Driver\atapi[0x82fd1030] -> IRP_MJ_CREATE -> 0x82f20730
21:47:22.000 Scan finished successfully
21:48:19.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner.ME-SMA9H3N14HJC\Desktop\MBR.dat"
21:48:19.890 The log file has been saved successfully to "C:\Documents and Settings\Owner.ME-SMA9H3N14HJC\Desktop\aswMBR.txt"

Hello jason2
Please do the following:

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the**Fix** button.
On completion of the scan, click the**save log** button, save it to your desktop and post it in your next reply.

I scanned again and the report was identical to the previous.
I clicked fix and it reported a successful fix of MBR, but the computer crashed while it was verifying the fix.

The following log is the result of the scan after restarting the computer:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-07 20:38:13
-----------------------------
20:38:13.468 OS Version: Windows 5.1.2600 Service Pack 3
20:38:13.468 Number of processors: 1 586 0x209
20:38:13.468 ComputerName: ME-SMA9H3N14HJC UserName: Owner
20:38:13.859 Initialize success
20:38:22.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:38:22.734 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 39205MB BusType: 3
20:38:24.750 Disk 0 MBR read successfully
20:38:24.750 Disk 0 MBR scan
20:38:24.750 Disk 0 Windows XP default MBR code
20:38:26.781 Disk 0 scanning sectors +80276805
20:38:26.906 Disk 0 scanning C:\WINDOWS\system32\drivers
20:38:39.859 Service scanning
20:38:41.218 Disk 0 trace - called modules:
20:38:41.234 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
20:38:41.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f90ab8]
20:38:41.234 3 CLASSPNP.SYS[f8778fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fadd98]
20:38:41.234 Scan finished successfully
20:39:13.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner.ME-SMA9H3N14HJC\Desktop\MBR.dat"
20:39:13.093 The log file has been saved successfully to "C:\Documents and Settings\Owner.ME-SMA9H3N14HJC\Desktop\aswMBR2.txt"

Hello jason2
Good news, aswMBR removed a rootkit, and no mbr infection was found.

Next
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFRCNeeded.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CF2.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Downloaded and ran Combofix.

Log attached.

Thanks,

Jason

Hello jason2

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:




KillAll::

RenV::
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\Java\jre1.6.0_03\bin\jusched .exe
c:\windows\system32\DeltTray .exe


Save this as "CFScript.txt", and as* Type: All Files (*.*) in the same location as ComboFix.exe


http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFscript.png

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. If possible, please copy/paste the contents of the file into your post, it makes analysis much easier.

Sorry for the delay...have been sick.


ComboFix 11-05-08.02 - Owner 05/11/2011 13:51:58.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.236 [GMT -4:00]
Running from: c:\documents and settings\Owner.ME-SMA9H3N14HJC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.ME-SMA9H3N14HJC\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-05 13:42 . 2011-05-05 13:42 -------- d-----w- c:\program files\ERUNT
2011-05-03 17:28 . 2011-05-03 17:28 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-10-06 05:21 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2003-07-16 20:49 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2008-12-30 00:42 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2003-07-16 20:51 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2003-07-16 20:47 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2003-07-16 20:34 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-07-16 20:46 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2008-12-30 00:42 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-16 23:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2003-07-16 20:24 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8287-79A187E26987}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"DeltTray"="DeltTray.exe" [2002-12-06 56320]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
.
c:\documents and settings\Owner.ME-SMA9H3N14HJC\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-1-17 256000]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-10-16 82026]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-6 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Owner.ME-SMA9H3N14HJC\Application Data\Mozilla\Firefox\Profiles\wle6gb8o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 13:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\DeltTray.exe
c:\windows\BCMSMMSG.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-05-11 14:05:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 18:05
ComboFix2.txt 2011-05-09 01:44
.
Pre-Run: 8,228,020,224 bytes free
Post-Run: 8,221,425,664 bytes free
.
- - End Of File - - C8AD324806B57F3741D640ED9EC4FA0B


Hope you have a good day,

Jason

Hello Jason
Great day here, hope yours is getting better.

Please do the following:
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please

Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click on List of found threats.
Click Export to text file
Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
Logs to post:

mbam.txt
Eset report
Please let me know how your PC is behaving now.

Hello :)

Below is the Malwarebytes' log. Is a HJT log created by HijackThis? You haven't instructed me to download or run this... or do you mean a DDS log?

Thanks,

Jason


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6568

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/13/2011 11:56:08 AM
mbam-log-2011-05-13 (11-56-08).txt

Scan type: Quick scan
Objects scanned: 192633
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

My mistake,:oops: don't worry about HJT log that should not be there.
Apologies,
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)

Ok, that's fine. Here's the Eset log:

C:\Qoobox\Quarantine\C\Documents and Settings\Owner.ME-SMA9H3N14HJC\Application Data\Adobe\plugs\KB935913343.exe.vir Win32/TrojanDownloader.Agent.QBO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner.ME-SMA9H3N14HJC\Application Data\Adobe\plugs\KB935913625.exe.vir Win32/TrojanDropper.Agent.PEY trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner.ME-SMA9H3N14HJC\Application Data\Adobe\plugs\KB935913640.exe.vir Win32/TrojanDownloader.Agent.QBO trojan
C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update\HPWuSchd2.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin\jusched.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\hGTkQBi4.com.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\System Volume Information\_restore{1BE98D19-641F-4F03-A88C-F5C63C5AC0FA}\RP1935\A0155894.exe Win32/TrojanDownloader.Agent.QBO trojan
C:\System Volume Information\_restore{1BE98D19-641F-4F03-A88C-F5C63C5AC0FA}\RP1935\A0155895.exe Win32/TrojanDropper.Agent.PEY trojan
C:\System Volume Information\_restore{1BE98D19-641F-4F03-A88C-F5C63C5AC0FA}\RP1935\A0155896.exe Win32/TrojanDownloader.Agent.QBO trojan
C:\System Volume Information\_restore{1BE98D19-641F-4F03-A88C-F5C63C5AC0FA}\RP1935\A0155898.exe Win32/TrojanDownloader.Unruy.BN trojan
C:\System Volume Information\_restore{1BE98D19-641F-4F03-A88C-F5C63C5AC0FA}\RP1935\A0155899.exe Win32/TrojanDownloader.Unruy.BN trojan
C:\System Volume Information\_restore{1BE98D19-641F-4F03-A88C-F5C63C5AC0FA}\RP1935\A0155900.com Win32/TrojanDownloader.Unruy.BN trojan
C:\System Volume Information\_restore{1BE98D19-641F-4F03-A88C-F5C63C5AC0FA}\RP1938\A0155996.exe Win32/TrojanDownloader.Unruy.BN trojan


The computer is running much better. Back up to speed when online and I no longer get redirects. I am also able to visit anti-virus/malware sites.

Thanks for your continued help :)

Jason

Good news Jason, :bigthumb:
Congratulations, your logs look all clean and you indicate that your system is running as expected.

Those items in ESET are isolated where they can do no harm, they will be removed shortly. But first:

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

http://i1176.photobucket.com/albums/x337/redcar92/WTT/ATF/atf.png

Next
Your Java appears to be down level.
Navigate to Control Panel then open on Programs and Features.
Highlight eachJava then click on Uninstall in tool bar.
Visit this site (http://www.java.com/en/) to down load and install the latest Java.

Next
Your Adobe appears to be down level
Please visit this site http://www.adobe.com/downloads] Click on the Adobe Reader icon on the right side and you will be presented with the correct Adobe for your system.
Down load and install this Adobe please.

Next
I see that you have IE6 on your PC. You need to visit http://www.microsoft.com/downloads/en/details.aspx?FamilyID=341c2ad5-8c3d-4347-8c03-08cdecd8852b to download and install IE8. IE8 is far more secure than IE6 or 7. You may not use IE as a browser but you PC uses for updates and it should be as secure as possible.

Next
I notice that you do not have any Anti-Virus program installed on your PC. Here is a list of 3, free, and good AVs. In order to provide maximum protection against virus and spyware you should select and install only one of them.
AVG (http://download.cnet.com/AVG-Anti-Virus-Free-Edition-2011/3000-2239_4-10320142.html?part=dl-10044820&subj=dl&tag=button&cdlPid=11014801)
AVAST (http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html)
AVIRA (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html)

Next
The following will implement some cleanup procedures as well as reset System Restore points it will also remove the infections seen in ESET:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Next
To remove DDS, on your desktop right click on DDS.exe the click on delete. Do the same for DDS.txt, attach.txt and attach.zip
To remove aswMBR, on your desktop right click on aswMBR.exe the click on delete. Do the same for aswMBR.txt

You should keep ATF, Malwarebytes and ESET. Update and run them periodically to keep your system clean.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.


Change the Download signed ActiveX controls to Prompt.
Change the Download unsigned ActiveX controls to Disable.
Change the Initialise and script ActiveX controls not marked as safe to Disable.
Change the Installation of desktop items to Prompt.
Change the Launching programs and files in an IFRAME to Prompt.
Change the Navigate sub-frames across different domains to Prompt.
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.


Next press the Apply button and then the OK to exit the Internet Properties page.

2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol (http://www.winpatrol.com/). This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial (http://www.winpatrol.com/features.html) to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://forum.malwareremoval.com/viewtopic.php?t=13)

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)

If you have any questions or outstanding problems please let me know, otherwise this thread will close in a few days.

Thanks for all of your hard work and patience. :thanks::greeting:

Thanks again for your generous help! I'm making my way through your list of tips and will make a donation as well.

Hope your day goes well,

Jason

Thank you for the kind words. If you have no more questions or issues this thread will close in a few days.