.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Run by Brian at 10:01:11 on 2011-05-20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.674 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\spoolsv.exe
J:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
J:\Program Files\thunderbird.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = hxxp://www.wanadoo.co.uk
mStart Page = hxxp://uk.yahoo.com/fsc/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - j:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - j:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\brian\application data\mozilla\firefox\profiles\67iqzyd3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-10 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-10 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-10 40384]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-2-2 1043784]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-10 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-10 40384]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 gupdate1c99d16dad21654;Google Update Service (gupdate1c99d16dad21654);c:\program files\google\update\GoogleUpdate.exe [2009-3-4 133104]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2007-3-1 43392]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [2006-4-22 23208]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [2006-4-22 17448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-4 133104]
.
=============== Created Last 30 ================
.
2011-05-17 10:53:24 7071056 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{7514d67f-2d7f-4eaa-82a3-f4ab72813210}\mpengine.dll
2011-05-17 10:52:10 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 07:55:41 -------- d-----w- C:\Nokia6600Slide
2011-05-13 07:50:06 -------- d-----w- c:\program files\common files\PCSuite
2011-05-13 07:48:37 18816 ---ha-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-05-13 07:48:04 -------- d-----w- c:\program files\PC Connectivity Solution
2011-05-13 07:47:20 8192 ---ha-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2011-05-13 07:47:19 8192 ---ha-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2011-05-13 07:47:18 23040 ---ha-w- c:\windows\system32\drivers\ccdcmbo.sys
2011-05-13 07:47:15 18048 ---ha-w- c:\windows\system32\drivers\ccdcmb.sys
2011-05-13 07:47:14 1461992 ---ha-w- c:\windows\system32\wdfcoinstaller01009.dll
2011-05-13 07:47:14 111104 ---ha-w- c:\windows\system32\ccdcmbwu.dll
2011-05-08 19:24:51 1409 ---ha-w- c:\windows\QTFont.for
2011-05-07 11:21:06 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-07 11:21:06 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-07 11:21:05 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-07 11:21:05 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-07 11:21:05 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-07 11:21:04 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-07 11:21:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-07 11:21:03 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ---ha-w- c:\windows\system32\win32k.sys
2008-11-07 12:12:00 15083520 ----a-w- c:\program files\spybotsd160.exe
2004-08-04 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 10:02:08.45 ===============

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.




Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.




1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

Run rkill repeatedly until it's able to do it's job. This may take a few tries.

You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.






Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Hello Ken,

You didn't ask for a log of the rKill process so I guess you don't want one but it did find something so I am including the log for you:

rKill log:

Rkill was run on 23/05/2011 at 14:44:25.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe


Rkill completed on 23/05/2011 at 14:44:31.





MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6620

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

23/05/2011 14:59:09
mbam-log-2011-05-23 (14-59-09).txt

Scan type: Quick scan
Objects scanned: 156642
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

No sign of that infection in Malwarebytes, lets do this

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ComboFix 11-05-22.02 - Brian 23/05/2011 20:20:06.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.1105 [GMT 1:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\firststeps\FirstSteps.exe
c:\windows\winhelp.ini
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-21 01:27 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{5F0F0D06-F87B-4357-99DF-A4F5AABB5FED}\mpengine.dll
2011-05-20 08:58 . 2011-05-20 08:59 -------- d-----w- c:\program files\ERUNT
2011-05-17 10:52 . 2011-05-17 10:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 07:55 . 2011-05-16 08:37 -------- d-----w- C:\Nokia6600Slide
2011-05-13 07:50 . 2011-05-13 07:50 -------- d-----w- c:\program files\Common Files\PCSuite
2011-05-13 07:48 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-05-13 07:48 . 2011-05-13 07:48 -------- d-----w- c:\program files\PC Connectivity Solution
2011-05-13 07:47 . 2010-07-30 13:16 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2011-05-13 07:47 . 2010-07-30 13:16 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2011-05-13 07:47 . 2010-07-30 13:16 23040 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2011-05-13 07:47 . 2010-07-30 13:16 18048 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2011-05-13 07:47 . 2010-07-30 13:17 111104 ----a-w- c:\windows\system32\ccdcmbwu.dll
2011-05-13 07:47 . 2010-02-26 13:19 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2011-05-08 19:24 . 2011-05-08 19:24 1409 ----a-w- c:\windows\QTFont.for
2011-05-07 11:21 . 2011-05-07 11:21 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 11:21 . 2011-05-07 11:21 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 11:21 . 2011-05-07 11:21 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 11:21 . 2011-05-07 11:21 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 11:21 . 2011-05-07 11:21 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 11:21 . 2011-05-07 11:21 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 11:21 . 2011-05-07 11:21 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-07 11:21 . 2011-05-07 11:21 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2010-11-22 14:40 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2005-08-02 04:31 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2005-08-01 18:25 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2005-08-01 18:25 1857920 ----a-w- c:\windows\system32\win32k.sys
2008-11-07 12:12 . 2008-11-07 12:00 15083520 ----a-w- c:\program files\spybotsd160.exe
2011-05-07 11:21 . 2011-05-07 11:21 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-04 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-12-21 1483264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/02/2010 10:17 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/02/2010 10:17 17744]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [02/02/2010 12:21 1043784]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 08:24 10064]
S2 gupdate1c99d16dad21654;Google Update Service (gupdate1c99d16dad21654);c:\program files\Google\Update\GoogleUpdate.exe [04/03/2009 23:16 133104]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [01/03/2007 12:15 43392]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [22/04/2006 23:58 23208]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [22/04/2006 23:59 17448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [04/03/2009 23:16 133104]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2010-02-02 11:28]
.
2011-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-01 11:58]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 22:16]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 22:16]
.
2011-05-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://uk.yahoo.com/fsc/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - j:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\67iqzyd3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 20:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-23 20:29:23
ComboFix-quarantined-files.txt 2011-05-23 19:29
.
Pre-Run: 46,761,095,168 bytes free
Post-Run: 47,193,137,152 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B71EEBA7E1F8B8728908E8ED344D20A5

:bigthumb:

Go ahead and run aswMBR just to scan (no fix is needed ) and post the log

where do I find aswMBR?

Sorry, to many irons in the fire :red:


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-24 08:30:14
-----------------------------
08:30:14.593 OS Version: Windows 5.1.2600 Service Pack 3
08:30:14.593 Number of processors: 1 586 0x401
08:30:14.593 ComputerName: POSHBLINDS UserName: Brian
08:30:14.937 Initialize success
08:30:24.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
08:30:24.171 Disk 0 Vendor: WDC_WD2000BB-55GUC0 08.02D08 Size: 190782MB BusType: 3
08:30:26.203 Disk 0 MBR read successfully
08:30:26.203 Disk 0 MBR scan
08:30:26.203 Disk 0 Windows XP default MBR code
08:30:28.203 Disk 0 scanning sectors +390716865
08:30:28.234 Disk 0 scanning C:\WINDOWS\system32\drivers
08:30:35.125 Service scanning
08:30:36.046 Disk 0 trace - called modules:
08:30:36.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
08:30:36.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5f7ab8]
08:30:36.062 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8a5f0f18]
08:30:36.062 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a5fed98]
08:30:36.062 Scan finished successfully
08:31:21.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brian\Desktop\MBR.dat"
08:31:21.468 The log file has been saved successfully to "C:\Documents and Settings\Brian\Desktop\aswMBR.txt"


aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-24 08:30:14
-----------------------------
08:30:14.593 OS Version: Windows 5.1.2600 Service Pack 3
08:30:14.593 Number of processors: 1 586 0x401
08:30:14.593 ComputerName: POSHBLINDS UserName: Brian
08:30:14.937 Initialize success
08:30:24.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
08:30:24.171 Disk 0 Vendor: WDC_WD2000BB-55GUC0 08.02D08 Size: 190782MB BusType: 3
08:30:26.203 Disk 0 MBR read successfully
08:30:26.203 Disk 0 MBR scan
08:30:26.203 Disk 0 Windows XP default MBR code
08:30:28.203 Disk 0 scanning sectors +390716865
08:30:28.234 Disk 0 scanning C:\WINDOWS\system32\drivers
08:30:35.125 Service scanning
08:30:36.046 Disk 0 trace - called modules:
08:30:36.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
08:30:36.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5f7ab8]
08:30:36.062 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8a5f0f18]
08:30:36.062 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a5fed98]
08:30:36.062 Scan finished successfully
08:31:21.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brian\Desktop\MBR.dat"
08:31:21.468 The log file has been saved successfully to "C:\Documents and Settings\Brian\Desktop\aswMBR.txt"
08:32:19.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brian\Desktop\MBR.dat"
08:32:19.531 The log file has been saved successfully to "C:\Documents and Settings\Brian\Desktop\aswMBR.txt"

Hi,

Combofix fixed a very serious infection, your system should be running better now ?

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-3b030333 Java/Exploit.CVE-2010-4452.A trojan
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\67iqzyd3.default\Cache\A\1C\D452Fd01 JS/Kryptik.AI trojan
C:\System Volume Information\_restore{1B6499BB-770A-4B0E-95EC-4D4AA437B028}\RP1653\A0100018.sys Win32/Olmasco.E trojan

Run this cleaner and it will clear out your Java Cache


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.



You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Delete the file in bold
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\67iqzyd3.default\Cache\A\1C\D452Fd01 JS/Kryptik.AI trojan


The last one was in System Restore

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.


Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.



How are things running now ?

Well, it appears to be better now... the annoying pop ups are gone, the iexplorer.exe no longer starts up in the background and the urls I enter in firefox are no longer being hijacked.

Once this is cleaned I will need to check my other PCs.

My bad, I was at work when I posted and my internet is somewhat limited

Open Firefox and go to Tools > Clear Resent History and make sure the cache is checked.


We just do one PC at a time in this thread, believe me it gets real complicated when we try to clean more than one, post back if your happy with the way your pc is running and I will close this thread and you can start a new topic for the other

Also want to point out that if your other computers are experiencing the same problems its possible that your router is infected, let me know

Thanks Ken,

This computer seems ok now.

If there is nothing more I need do with this one I will post the DDS file of my other computer. I checked it and found it has possibly 4 trojans on it.

Thank you for sharing your precious time with me.

Wonderful, great to hear.

But working more than one computer in this thread can be very confusing so what I will need you to do is after I close this thread you can just start a new topic for the other one, make sure you state that we cleaned this one and that this is another computer



Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken