PDA

View Full Version : Google redirects, "Defender"


skookster
2011-07-20, 01:43
I'm getting Google redirects.

"Defender" has taken over the PC twice in the last few days. Both times I deleted it via Safe Mode.

Also having svchost memory leaks like crazy, but I don't expect that's in your power to address.

The machine:
XP SP3
Windows updates automatically
MS Security Essentials always running, automatic updates, quick scan nightly
uTorrent 2.2 downloads only from trusted trackers
Spyware Blaster updated weekly
CCleaner, Malware Bytes and Tweak Now have been run recently

To prepare for your analysis, I have:
executed MS Security Essentials full scan
executed ERUNT
disabled Tea Timer
ActiveX set to Prompt and Disable

Thanks
---

DDS (Ver_2011-07-14.01) - FAT32_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Dee at 18:31:25 on 2011-07-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.150 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\fsproflt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\IDrive\IDriveE Service.exe
C:\Program Files\Screen Saver Control\ScreenSaverControl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IDrive\IDriveWebM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Moffsoft FreeCalc\MoffFreeCalc.exe
C:\Program Files\KeyText\KeyText.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\IDrive\IDriveETray.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\IDrive\IDriveEBackground.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/Program%20Files/Internet%20Explorer/Blank.htm
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: Octh Class: {000123B4-9B42-4900-B3F7-F4B073EFC214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - <orphaned>
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Grab Pro: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - c:\program files\orbitdownloader\GrabPro.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [IDriveE Startup] "c:\program files\idrive\IDrvieEStartup.exe" Hide
uRun: [Screen Saver Control] c:\program files\screen saver control\ScreenSaverControl.exe -quiet
uRun: [TClockEx] c:\program files\tclockex\TCLOCKEX.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SystemTray] SysTray.Exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [OneTouch Monitor] c:\progra~1\vision~1\ONETOU~2.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\keytext.lnk - c:\program files\keytext\KeyText.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\idrive~1.lnk - c:\program files\idrive\IDriveEReg2ini.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\screen~1.lnk - c:\program files\screen saver control\ScreenSaverControl.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\proces~1.lnk - c:\program files\processexplorer\procexp.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\firefox.lnk - c:\program files\mozilla firefox\firefox.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\fastst~1.lnk - c:\program files\faststone capture\FSCapture.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\calcul~1.lnk - c:\program files\moffsoft freecalc\MoffFreeCalc.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259632841390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: NameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{86C114B1-6950-47C6-80DA-7B658D817BE9} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{86C114B1-6950-47C6-80DA-7B658D817BE9} : DHCPNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{96FCD304-90F6-4C01-B894-28DC74FEEBAB} : NameServer = 208.67.222.222,208.67.220.220
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: taskmgr.exe - "c:\program files\processexplorer\PROCEXP.EXE"
IFEO: Your Image File Name Here without a path - ntsd -d
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\61a6e9yd.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Program%20Files/Mozilla%20Firefox/blank-navy.htm
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\61a6e9yd.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\user\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2010-10-8 41912]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl7392fc0d;MpKsl7392fc0d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8d84bb94-70af-4875-9040-bf4ae81847f7}\MpKsl7392fc0d.sys [2011-7-19 28752]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2010-10-8 142648]
R2 IDriveE Service;IDriveE Service;c:\program files\idrive\IDriveE Service.exe [2009-11-30 143360]
R2 IDriveWebM;IDrive WebManager;c:\program files\idrive\IDriveWebM.exe [2009-11-30 118784]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-12-1 10384]
S1 MpKsl031cff38;MpKsl031cff38;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41958ae7-d159-493a-af50-86f886f90271}\mpksl031cff38.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41958ae7-d159-493a-af50-86f886f90271}\MpKsl031cff38.sys [?]
S1 MpKsl181993ed;MpKsl181993ed;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f2834f7-7df2-4456-a678-8d594cebdf1d}\mpksl181993ed.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f2834f7-7df2-4456-a678-8d594cebdf1d}\MpKsl181993ed.sys [?]
S1 MpKsl1dfc68cd;MpKsl1dfc68cd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8564bbe1-c607-4b27-af53-58de05f04db4}\mpksl1dfc68cd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8564bbe1-c607-4b27-af53-58de05f04db4}\MpKsl1dfc68cd.sys [?]
S1 MpKsl4b5e7a29;MpKsl4b5e7a29;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c91156f9-9ada-4273-b585-31c251c5ce5c}\mpksl4b5e7a29.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c91156f9-9ada-4273-b585-31c251c5ce5c}\MpKsl4b5e7a29.sys [?]
S1 MpKsl4cd0e030;MpKsl4cd0e030;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{12166d97-593b-409d-9877-945ee790a7e6}\mpksl4cd0e030.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{12166d97-593b-409d-9877-945ee790a7e6}\MpKsl4cd0e030.sys [?]
S1 MpKsl61f0b96a;MpKsl61f0b96a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ea61a01d-c928-47bc-80f7-8a45fb1d348b}\mpksl61f0b96a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ea61a01d-c928-47bc-80f7-8a45fb1d348b}\MpKsl61f0b96a.sys [?]
S1 MpKsl7422c9be;MpKsl7422c9be;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8564bbe1-c607-4b27-af53-58de05f04db4}\mpksl7422c9be.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8564bbe1-c607-4b27-af53-58de05f04db4}\MpKsl7422c9be.sys [?]
S1 MpKsl7a0a5f84;MpKsl7a0a5f84;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{79f7eef1-1087-4dbc-9c2c-da41adf5be4b}\mpksl7a0a5f84.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{79f7eef1-1087-4dbc-9c2c-da41adf5be4b}\MpKsl7a0a5f84.sys [?]
S1 MpKsl7ff50370;MpKsl7ff50370;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{017c2bef-3849-470f-8432-e6cbf104c660}\mpksl7ff50370.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{017c2bef-3849-470f-8432-e6cbf104c660}\MpKsl7ff50370.sys [?]
S1 MpKsl9e731847;MpKsl9e731847;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{95d708e9-e6d6-41fd-9cbd-46e3f9280a10}\mpksl9e731847.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{95d708e9-e6d6-41fd-9cbd-46e3f9280a10}\MpKsl9e731847.sys [?]
S1 MpKslbe01cc62;MpKslbe01cc62;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bf0e77e-a687-41f0-9654-82ca5b263d51}\mpkslbe01cc62.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9bf0e77e-a687-41f0-9654-82ca5b263d51}\MpKslbe01cc62.sys [?]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2009-12-15 38976]
.
=============== File Associations ===============
.
ShellExec: AcroRd32.exe: print="c:\program files\adobe\acrobat 4.0\reader\AcroRd32.exe"
ShellExec: AcroRd32.exe: printto="c:\program files\adobe\acrobat 4.0\reader\AcroRd32.exe"
ShellExec: Foxit Reader.exe: print="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/p "%1"
ShellExec: Foxit Reader.exe: printto="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2011-07-19 15:22:57 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8d84bb94-70af-4875-9040-bf4ae81847f7}\MpKsl7392fc0d.sys
2011-07-19 15:20:59 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8d84bb94-70af-4875-9040-bf4ae81847f7}\mpengine.dll
2011-07-17 19:23:36 -------- d-sh--w- C:\FOUND.026
2011-07-17 17:18:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-17 17:18:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-12 18:58:00 -------- d-----w- c:\documents and settings\user\application data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-07-12 18:57:50 -------- d-----w- c:\program files\TweetDeck
2011-07-12 18:57:05 -------- d-----w- c:\documents and settings\user\local settings\application data\Adobe
2011-07-11 21:48:12 12800 ----a-w- c:\program files\mozilla firefox\plugins\npwachk.dll
2011-07-11 14:59:45 -------- d-----w- c:\documents and settings\user\application data\KDE
2011-07-11 14:59:34 -------- d-----w- c:\program files\KDE
2011-07-09 19:56:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-09 19:50:19 -------- d-----w- c:\documents and settings\all users\application data\PDF reDirect
2011-07-09 19:47:03 -------- d-----w- c:\documents and settings\user\application data\PDF reDirect
2011-07-09 19:46:52 -------- d-----w- c:\program files\PDF reDirect
2011-07-09 03:53:54 -------- d-----w- c:\windows\SxsCaPendDel
2011-07-04 04:42:45 -------- d-----w- c:\program files\Revo Uninstaller
2011-07-04 00:46:10 -------- d-sh--w- C:\FOUND.025
2011-06-28 03:57:25 -------- d-----w- C:\ProcAlyzer Dumps
2011-06-26 07:06:13 -------- d-----w- c:\documents and settings\user\application data\IObit
2011-06-26 03:15:40 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-26 03:15:39 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-21 03:51:44 -------- d-sh--w- C:\FOUND.024
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 00:19:52 770384 ----a-w- c:\windows\system32\msvcr100.dll
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:28 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:44 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:12 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:12 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:44 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 18:32:20.14 ===============
ken545
2011-07-23, 01:48
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


uTorrent. <-- Just want to give you a heads up on P2P programs, your downloading a file from an unknown source, you never know whats attached to that file, its like playing Russian roulette malwarewise.

Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.



We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.


If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.


We do not ask you to do this without reason.


P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.



Uninstall uTorrent if you want to proceed with cleaning your system


Then run this program



Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
skookster
2011-07-23, 03:09
Thanks ken545, understood. uTorrent uninstalled.

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-22 20:05:11
-----------------------------
20:05:11.703 OS Version: Windows 5.1.2600 Service Pack 3
20:05:11.703 Number of processors: 1 586 0x209
20:05:11.703 ComputerName: DW UserName:
20:05:16.468 Initialize success
20:05:48.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:05:48.734 Disk 0 Vendor: ST340015A 3.15 Size: 38166MB BusType: 3
20:05:48.734 Disk 0 MBR read successfully
20:05:48.734 Disk 0 MBR scan
20:05:48.734 Disk 0 Windows XP default MBR code
20:05:48.734 Disk 0 scanning sectors +78156225
20:05:48.765 Disk 0 scanning C:\WINDOWS\system32\drivers
20:06:10.156 Service scanning
20:06:10.953 Service MpKsl671a813c C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C2C792EC-D2A9-49EF-9431-F697E098570B}\MpKsl671a813c.sys **LOCKED** 32
20:06:11.750 Modules scanning
20:06:28.390 Disk 0 trace - called modules:
20:06:28.406 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:06:28.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f68ab8]
20:06:28.406 3 CLASSPNP.SYS[f75d6fd7] -> nt!IofCallDriver -> \Device\00000066[0x86f7b2a0]
20:06:28.421 5 ACPI.sys[f754d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f6a940]
20:06:28.421 Scan finished successfully
20:06:45.406 Disk 0 MBR has been saved successfully to "D:\My Documents\MBR.dat"
20:06:45.468 The log file has been saved successfully to "D:\My Documents\aswMBR.txt"
skookster
2011-07-23, 03:17
MBR.dat and aswMBR.txt moved to desktop.
ken545
2011-07-23, 03:50
Hi,

Lets do this

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Make sure you have the latest version of Malwarebytes, 1.51, if not go to Updates and update it to the lastest version and run a Quick Scan and post the log.


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
skookster
2011-07-23, 05:51
ATF-Cleaner.exe failed to delete cookies, so I deleted them manually from Firefox, Chrome and (just to be safe) IE8.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7187

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/22/2011 10:04:51 PM
mbam-log-2011-07-22 (22-04-51).txt

Scan type: Quick scan
Objects scanned: 162741
Time elapsed: 10 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Security Protection (Rogue.Spypro) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ComboFix 11-07-19.03 - Dee 07/22/2011 22:23:27.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.406 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\Microsoft\Internet Explorer\Desktop.htt
c:\documents and settings\user\Local Settings\Application Data\{18E38FF3-11A1-4CA4-9A6C-6FFC9D16B524}
c:\documents and settings\user\Local Settings\Application Data\{18E38FF3-11A1-4CA4-9A6C-6FFC9D16B524}\chrome.manifest
c:\documents and settings\user\Local Settings\Application Data\{18E38FF3-11A1-4CA4-9A6C-6FFC9D16B524}\chrome\content\_cfg.js
c:\documents and settings\user\Local Settings\Application Data\{18E38FF3-11A1-4CA4-9A6C-6FFC9D16B524}\chrome\content\overlay.xul
c:\documents and settings\user\Local Settings\Application Data\{18E38FF3-11A1-4CA4-9A6C-6FFC9D16B524}\install.rdf
c:\documents and settings\user\WINDOWS
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FAD
.
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-23 02:01 . 2011-07-23 02:01 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D15003E-AC9E-458C-81B2-54E58E7A8958}\MpKsl2fb20aec.sys
2011-07-23 01:58 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D15003E-AC9E-458C-81B2-54E58E7A8958}\mpengine.dll
2011-07-20 03:04 . 2011-07-20 03:04 -------- d-----w- c:\program files\Common Files\Java
2011-07-17 19:23 . 2011-07-17 19:23 -------- d-----w- C:\FOUND.026
2011-07-17 17:18 . 2011-07-17 17:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-12 18:58 . 2011-07-12 18:58 -------- d-----w- c:\documents and settings\user\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-07-12 18:57 . 2011-07-12 18:57 -------- d-----w- c:\program files\TweetDeck
2011-07-12 18:57 . 2011-07-12 18:57 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-07-12 18:57 . 2011-07-12 18:57 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Adobe
2011-07-11 21:48 . 2011-07-11 21:48 12800 ----a-w- c:\program files\Mozilla Firefox\plugins\npwachk.dll
2011-07-11 14:59 . 2011-07-11 14:59 -------- d-----w- c:\documents and settings\user\Application Data\KDE
2011-07-11 14:59 . 2011-07-11 14:59 -------- d-----w- c:\program files\KDE
2011-07-09 19:56 . 2011-07-09 19:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-09 19:50 . 2011-07-09 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF reDirect
2011-07-09 19:47 . 2011-07-09 19:47 -------- d-----w- c:\documents and settings\user\Application Data\PDF reDirect
2011-07-09 19:46 . 2011-07-09 19:46 -------- d-----w- c:\program files\PDF reDirect
2011-07-09 03:53 . 2011-07-09 03:53 -------- d-----w- c:\windows\SxsCaPendDel
2011-07-09 03:42 . 2011-07-09 03:42 -------- d-----w- c:\program files\ERUNT
2011-07-04 04:42 . 2011-07-04 04:42 -------- d-----w- c:\program files\Revo Uninstaller
2011-07-04 00:46 . 2011-07-04 00:46 -------- d-----w- C:\FOUND.025
2011-06-28 03:57 . 2011-06-28 03:57 -------- d-----w- C:\ProcAlyzer Dumps
2011-06-26 07:06 . 2011-06-26 07:06 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-06-26 03:15 . 2011-06-26 03:15 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-26 03:15 . 2011-06-26 03:15 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2011-01-31 00:17 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2010-11-07 21:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-11-07 21:51 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2003-03-31 16:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-11 00:19 . 2011-06-12 14:37 770384 ----a-w- c:\windows\system32\msvcr100.dll
2011-05-04 08:52 . 2011-01-25 22:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2009-12-01 06:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2009-11-28 06:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2003-03-31 16:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2003-03-31 16:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2003-03-31 16:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2003-03-31 16:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2003-03-31 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2003-03-31 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2003-03-31 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 04:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-26 03:15 . 2011-04-02 05:44 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2009-09-21 173520]
"Screen Saver Control"="c:\program files\Screen Saver Control\ScreenSaverControl.exe" [2008-10-24 754176]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
KeyText.lnk - c:\program files\KeyText\KeyText.exe [2009-11-30 1008288]
IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2009-11-30 282624]
ScreenSaverControl.lnk - c:\program files\Screen Saver Control\ScreenSaverControl.exe [2008-10-24 754176]
ProcessExplorer.lnk - c:\program files\ProcessExplorer\procexp.exe [2009-12-2 4155256]
Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-11-30 924632]
FastStone Capture.lnk - c:\program files\FastStone Capture\FSCapture.exe [2007-1-7 1122816]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-1 813584]
Calculator.lnk - c:\program files\Moffsoft FreeCalc\MoffFreeCalc.exe [2004-8-28 791552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-02-07 14:35 136176 ----a-w- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 19:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\user\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15800:TCP"= 15800:TCP:IPv4
.
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [10/8/2010 12:38 PM 41912]
R1 MpKsl2fb20aec;MpKsl2fb20aec;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D15003E-AC9E-458C-81B2-54E58E7A8958}\MpKsl2fb20aec.sys [7/22/2011 10:01 PM 28752]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [10/8/2010 12:38 PM 142648]
R2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [11/30/2009 11:08 PM 143360]
R2 IDriveWebM;IDrive WebManager;c:\program files\IDrive\IDriveWebM.exe [11/30/2009 11:08 PM 118784]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/1/2009 10:08 AM 10384]
S1 MpKsl031cff38;MpKsl031cff38;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41958AE7-D159-493A-AF50-86F886F90271}\MpKsl031cff38.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41958AE7-D159-493A-AF50-86F886F90271}\MpKsl031cff38.sys [?]
S1 MpKsl181993ed;MpKsl181993ed;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F2834F7-7DF2-4456-A678-8D594CEBDF1D}\MpKsl181993ed.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F2834F7-7DF2-4456-A678-8D594CEBDF1D}\MpKsl181993ed.sys [?]
S1 MpKsl1dfc68cd;MpKsl1dfc68cd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8564BBE1-C607-4B27-AF53-58DE05F04DB4}\MpKsl1dfc68cd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8564BBE1-C607-4B27-AF53-58DE05F04DB4}\MpKsl1dfc68cd.sys [?]
S1 MpKsl3fd389e2;MpKsl3fd389e2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D15003E-AC9E-458C-81B2-54E58E7A8958}\MpKsl3fd389e2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D15003E-AC9E-458C-81B2-54E58E7A8958}\MpKsl3fd389e2.sys [?]
S1 MpKsl4b5e7a29;MpKsl4b5e7a29;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C91156F9-9ADA-4273-B585-31C251C5CE5C}\MpKsl4b5e7a29.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C91156F9-9ADA-4273-B585-31C251C5CE5C}\MpKsl4b5e7a29.sys [?]
S1 MpKsl4cd0e030;MpKsl4cd0e030;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12166D97-593B-409D-9877-945EE790A7E6}\MpKsl4cd0e030.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12166D97-593B-409D-9877-945EE790A7E6}\MpKsl4cd0e030.sys [?]
S1 MpKsl61f0b96a;MpKsl61f0b96a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA61A01D-C928-47BC-80F7-8A45FB1D348B}\MpKsl61f0b96a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA61A01D-C928-47BC-80F7-8A45FB1D348B}\MpKsl61f0b96a.sys [?]
S1 MpKsl7422c9be;MpKsl7422c9be;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8564BBE1-C607-4B27-AF53-58DE05F04DB4}\MpKsl7422c9be.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8564BBE1-C607-4B27-AF53-58DE05F04DB4}\MpKsl7422c9be.sys [?]
S1 MpKsl7a0a5f84;MpKsl7a0a5f84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{79F7EEF1-1087-4DBC-9C2C-DA41ADF5BE4B}\MpKsl7a0a5f84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{79F7EEF1-1087-4DBC-9C2C-DA41ADF5BE4B}\MpKsl7a0a5f84.sys [?]
S1 MpKsl7ff50370;MpKsl7ff50370;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{017C2BEF-3849-470F-8432-E6CBF104C660}\MpKsl7ff50370.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{017C2BEF-3849-470F-8432-E6CBF104C660}\MpKsl7ff50370.sys [?]
S1 MpKsl9e731847;MpKsl9e731847;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{95D708E9-E6D6-41FD-9CBD-46E3F9280A10}\MpKsl9e731847.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{95D708E9-E6D6-41FD-9CBD-46E3F9280A10}\MpKsl9e731847.sys [?]
S1 MpKslbe01cc62;MpKslbe01cc62;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9BF0E77E-A687-41F0-9654-82CA5B263D51}\MpKslbe01cc62.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9BF0E77E-A687-41F0-9654-82CA5B263D51}\MpKslbe01cc62.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/7/2010 5:51 PM 41272]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [12/15/2009 6:48 PM 38976]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-23 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-07-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-07-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2011-07-09 19:31]
.
2011-07-22 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2011-07-09 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Program%20Files/Internet%20Explorer/Blank.htm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{86C114B1-6950-47C6-80DA-7B658D817BE9}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{96FCD304-90F6-4C01-B894-28DC74FEEBAB}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\61a6e9yd.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Program%20Files/Mozilla%20Firefox/blank-navy.htm
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Name of App - c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-22 22:34
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(460)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\IDrive\IDriveEView.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\tcpsvcs.exe
c:\program files\IDrive\IDriveETray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\IDrive\IDriveEBackground.exe
c:\program files\IDrive\IDriveEClsClient.exe
.
**************************************************************************
.
Completion time: 2011-07-22 22:38:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-23 02:38
.
Pre-Run: 7,157,071,872 bytes free
Post-Run: 7,099,138,048 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30
.
- - End Of File - - 108925F7CD459FBC9447D63D892D87C1
ken545
2011-07-23, 13:21
How are the redirects ?


Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
skookster
2011-07-23, 23:10
No redirects so far.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7253

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/23/2011 4:06:14 PM
mbam-log-2011-07-23 (16-06-14).txt

Scan type: Quick scan
Objects scanned: 163901
Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ken545
2011-07-24, 02:51
Great !!!!!

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
skookster
2011-07-24, 19:00
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=fa014314c49c7046853635a0b28e051e
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-24 02:50:10
# local_time=2011-07-24 10:50:10 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 49496158 49496158 0 0
# compatibility_mode=5891 16776869 42 87 0 22627018 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=13166
# found=0
# cleaned=0
# scan_time=477
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=fa014314c49c7046853635a0b28e051e
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-24 03:57:04
# local_time=2011-07-24 11:57:04 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 49496714 49496714 0 0
# compatibility_mode=5891 16776869 42 87 0 22627574 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=59297
# found=0
# cleaned=0
# scan_time=3935
ken545
2011-07-24, 19:53
Looking good, any issues you feel are related to malware ?
skookster
2011-07-24, 20:37
Only remaining issue is svchost.exe memory leaks, but that's not related (unless you want to label WinXP as malware :laugh: ).

Excellent support, thanks for all your help!
ken545
2011-07-24, 21:54
Why do you think you have memory leaks ? When you have a few programs open and running you will see multiple instances of svchost running.
skookster
2011-07-25, 05:48
One running instance of svchost.exe has a habit of grabbing virtually 100% of CPU for periods of 5-10 seconds. I'm running Process Explorer, but haven't been able to narrow it down to which dll is the culprit.
ken545
2011-07-25, 10:54
Lets find its location and make sure its safe

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
svchost.exe
:process
svchost.exe


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
skookster
2011-07-25, 21:25
Thank you for taking a look at this, but please note: I'm not 100% certain that the svchost problem has continued since I performed your malware analysis and removal process. Although I've seen some moments of high CPU usage, they all seem to have originated from specific running applications.

Let's disregard for now, and I'll open a new thread if it recurs.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SystemLook 04.09.10 by jpshortstuff
Log created at 14:11 on 25/07/2011 by Dee
Administrator - Elevation successful

========== filefind ==========

Searching for "svchost.exe "
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [16:00 31/03/2003] [23:12 13/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [02:37 23/07/2011] [23:12 13/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------- 14336 bytes [06:56 04/08/2004] [23:12 13/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe ------- 14336 bytes [02:05 01/12/2009] [06:56 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716

========== process ==========

svchost.exe - 8 handle(s) returned.
File path: C:\WINDOWS\System32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\System32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\System32\NTMARTA.DLL
C:\WINDOWS\System32\SAMLIB.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\xpsp2res.dll
c:\windows\system32\ssdpsrv.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
C:\WINDOWS\System32\hnetcfg.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\CLBCATQ.DLL
C:\WINDOWS\System32\COMRes.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\wshtcpip.dll

File path: C:\WINDOWS\System32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\System32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
c:\windows\system32\wiaservc.dll
c:\windows\system32\CFGMGR32.dll
c:\windows\system32\setupapi.DLL
c:\windows\system32\mscms.dll
c:\windows\system32\WINSPOOL.DRV
c:\windows\system32\WINSTA.dll
c:\windows\system32\NETAPI32.dll
C:\WINDOWS\System32\xpsp2res.dll
C:\WINDOWS\System32\CLBCATQ.DLL
C:\WINDOWS\System32\COMRes.dll
C:\WINDOWS\System32\WINTRUST.dll
C:\WINDOWS\System32\CRYPT32.dll
C:\WINDOWS\System32\MSASN1.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\System32\wiavusd.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\gdiplus.dll
C:\WINDOWS\System32\SHFOLDER.dll
C:\WINDOWS\system32\actxprxy.dll
C:\WINDOWS\System32\sti.dll

File path: C:\WINDOWS\System32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\System32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\System32\NTMARTA.DLL
C:\WINDOWS\System32\SAMLIB.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\xpsp2res.dll
c:\windows\system32\webclnt.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\Normaliz.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\iertutil.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
C:\WINDOWS\System32\rsaenh.dll

File path: C:\WINDOWS\System32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\System32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\System32\NTMARTA.DLL
C:\WINDOWS\System32\SAMLIB.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\xpsp2res.dll
c:\windows\system32\schedsvc.dll
c:\windows\system32\NETAPI32.dll
c:\windows\system32\NTDSAPI.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
C:\WINDOWS\system32\IMAGEHLP.dll
c:\windows\system32\WTSAPI32.dll
c:\windows\system32\WINSTA.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\System32\cryptdll.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\System32\MSIDLE.DLL
C:\WINDOWS\System32\rsaenh.dll
C:\WINDOWS\System32\CRYPT32.dll
C:\WINDOWS\System32\MSASN1.dll
C:\WINDOWS\system32\Apphelp.dll

File path: C:\WINDOWS\System32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\System32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
c:\windows\system32\dnsrslvr.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\iphlpapi.dll
C:\WINDOWS\System32\rsaenh.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\hnetcfg.dll
C:\WINDOWS\System32\wshtcpip.dll

File path: C:\WINDOWS\System32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\System32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\System32\NTMARTA.DLL
C:\WINDOWS\System32\SAMLIB.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\xpsp2res.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wzcsvc.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\WMI.dll
c:\windows\system32\CRYPT32.dll
c:\windows\system32\MSASN1.dll
c:\windows\system32\EapolQec.dll
c:\windows\system32\ATL.DLL
c:\windows\system32\QUtil.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\WTSAPI32.dll
c:\windows\system32\WINSTA.dll
c:\windows\system32\NETAPI32.dll
c:\windows\system32\ESENT.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\hnetcfg.dll
C:\WINDOWS\System32\wshtcpip.dll
c:\windows\system32\shsvcs.dll
C:\WINDOWS\System32\CLBCATQ.DLL
C:\WINDOWS\System32\COMRes.dll
C:\WINDOWS\System32\rsaenh.dll
C:\WINDOWS\System32\rastls.dll
C:\WINDOWS\System32\CRYPTUI.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\Normaliz.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\iertutil.dll
C:\WINDOWS\System32\WINTRUST.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\System32\MPRAPI.dll
C:\WINDOWS\System32\ACTIVEDS.dll
C:\WINDOWS\System32\adsldpc.dll
C:\WINDOWS\System32\SETUPAPI.dll
C:\WINDOWS\System32\RASAPI32.dll
C:\WINDOWS\System32\rasman.dll
C:\WINDOWS\System32\TAPI32.dll
C:\WINDOWS\System32\SCHANNEL.dll
C:\WINDOWS\System32\WinSCard.dll
C:\WINDOWS\System32\PSAPI.DLL
c:\windows\system32\audiosrv.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\System32\cryptdll.dll
C:\WINDOWS\System32\raschap.dll
c:\windows\system32\cryptsvc.dll
c:\windows\system32\certcli.dll
c:\windows\system32\es.dll
c:\windows\system32\ersvc.dll
c:\windows\system32\dmserver.dll
c:\windows\pchealth\helpctr\binaries\pchsvc.dll
c:\windows\system32\srvsvc.dll
c:\windows\system32\netman.dll
c:\windows\system32\netshell.dll
c:\windows\system32\credui.dll
c:\windows\system32\dot3dlg.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappcfg.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WZCSAPI.DLL
c:\windows\system32\srsvc.dll
c:\windows\system32\POWRPROF.dll
c:\windows\system32\sens.dll
c:\windows\system32\seclogon.dll
c:\windows\system32\tapisrv.dll
c:\windows\system32\trkwks.dll
c:\windows\system32\wbem\wmisvc.dll
C:\WINDOWS\system32\VSSAPI.DLL
c:\windows\system32\w32time.dll
c:\windows\system32\wuauserv.dll
c:\windows\system32\ipnathlp.dll
c:\windows\system32\AUTHZ.dll
C:\WINDOWS\system32\wuaueng.dll
C:\WINDOWS\System32\WINSPOOL.DRV
C:\WINDOWS\System32\WINHTTP.dll
C:\WINDOWS\System32\Cabinet.dll
C:\WINDOWS\System32\mspatcha.dll
c:\windows\system32\wscsvc.dll
c:\windows\system32\msi.dll
C:\WINDOWS\System32\wbem\wbemcomn.dll
C:\WINDOWS\system32\wbem\wbemcore.dll
C:\WINDOWS\system32\wbem\esscli.dll
C:\WINDOWS\system32\wbem\FastProx.dll
C:\WINDOWS\System32\NTDSAPI.dll
C:\WINDOWS\System32\SXS.DLL
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\System32\sfc.dll
C:\WINDOWS\System32\sfc_os.dll
C:\Program Files\Bonjour\mdnsNSP.dll
C:\WINDOWS\system32\comsvcs.dll
C:\WINDOWS\system32\colbact.DLL
C:\WINDOWS\system32\MTXCLU.DLL
C:\WINDOWS\system32\WSOCK32.dll
C:\WINDOWS\System32\CLUSAPI.DLL
C:\WINDOWS\System32\RESUTILS.DLL
C:\WINDOWS\System32\wbem\wbemsvc.dll
C:\WINDOWS\System32\upnp.dll
C:\WINDOWS\System32\SSDPAPI.dll
C:\WINDOWS\System32\wbem\wmiutils.dll
C:\WINDOWS\system32\wbem\repdrvfs.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\System32\wbem\wmiprvsd.dll
C:\WINDOWS\system32\NCObjAPI.DLL
C:\WINDOWS\System32\wbem\wbemess.dll
C:\WINDOWS\System32\netcfgx.dll
C:\WINDOWS\System32\rasmans.dll
C:\WINDOWS\System32\WINIPSEC.DLL
C:\WINDOWS\System32\rasadhlp.dll
C:\WINDOWS\System32\rastapi.dll
C:\WINDOWS\System32\wbem\ncprov.dll
C:\WINDOWS\System32\unimdm.tsp
C:\WINDOWS\System32\uniplat.dll
C:\WINDOWS\System32\kmddsp.tsp
C:\WINDOWS\System32\ndptsp.tsp
C:\WINDOWS\System32\ipconf.tsp
C:\WINDOWS\System32\h323.tsp
C:\WINDOWS\System32\hidphone.tsp
C:\WINDOWS\System32\HID.DLL
C:\WINDOWS\System32\rasppp.dll
C:\WINDOWS\System32\ntlsapi.dll
C:\WINDOWS\system32\kerberos.dll
C:\WINDOWS\System32\RASQEC.DLL
C:\WINDOWS\System32\RASDLG.dll
C:\WINDOWS\System32\msxml3.dll
C:\WINDOWS\System32\dssenh.dll
C:\WINDOWS\system32\advpack.dll
c:\windows\system32\qmgr.dll
C:\WINDOWS\system32\MPR.dll
c:\windows\system32\SHFOLDER.dll
C:\WINDOWS\System32\catsrvut.dll
C:\WINDOWS\System32\catsrv.dll
C:\WINDOWS\System32\MfcSubs.dll
C:\WINDOWS\System32\wups2.dll

File path: C:\WINDOWS\system32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
c:\windows\system32\rpcss.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\Program Files\Bonjour\mdnsNSP.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll

File path: C:\WINDOWS\system32\svchost.exe
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Modules:
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\NTMARTA.DLL
C:\WINDOWS\system32\SAMLIB.dll
C:\WINDOWS\system32\WLDAP32.dll
c:\windows\system32\rpcss.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\Apphelp.dll

-= EOF =-
ken545
2011-07-26, 00:46
What I was looking for was the folder that svchost was running from, the locations that you posted are legit, any place else and it could have been a virus.

If you would like, post at this windows forum, let them sort out svchost for you, we all work together and we just do malware removal on this forum and this looks like it may be windows related, link them to this thread so they can see what we have done
http://forums.whatthetech.com/index.php?showforum=119

Like Safer its free but you will have to register

Let me know how it goes
skookster
2011-07-26, 01:17
Will do.

Your assistance has been exceptional -- thank you so much.
ken545
2011-07-26, 01:29
When you post, let me know and I will find you and follow along


Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken