Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Google search redirecting

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default Google search redirecting

    Here's my hijack log. Thanks for any suggestions!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:36:57 AM, on 12/14/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\opcenum.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://submetersystems.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Copernic Desktop Search - Home - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search - Home\DesktopSearchBand300000081.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [RCHotKey] C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe"
    O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe" /tray
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
    O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.netlibrary.com
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon...ad/tgctlsi.cab
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace01.geextranet.com/qp2.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134442971035
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - http://service.ringcentral.com/Activ...age_Player.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shoc...sh/swflash.cab
    O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
    O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
    O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: CCFLIC0 - GE Fanuc Automation Americas - C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\opcenum.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 10356 bytes

    Here's some addition info...

    Help! My home business computer has been taken over! My google search links are being redirected. I'm accessing this forum now on a different computer. Won't let me access this forum on infected PC. Can't install spybot or antivirus software. Do have HiJack installed though. Could only install adaware after disabling updates during install. Can't install Malwarebytes' Anti-Malware. It shows up in the task list as running the install but no window comes up. Any guidance appreciated!
    Last edited by tashi; 2008-12-15 at 21:27. Reason: Merged two posts, helpers look for topics without a response. :)

  2. #2
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New HijackThis log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default conbo fix doesn't run

    Thanks for taking this on!

    Installing Recovery Console:
    I have SP3. I inserted my XP pro CD (non SP3) and it auto ran its menu. Per MS help I did the start|run|d:\i386\winnt32.exe /cmdcons. It first said I didn't have the correct windows version but after I clicked ok it went and installed recovery console anyhow. I shutdown. It indicated it would also apply updates (probably the recovery console). When I started back up the selection between recover console and XP came up. I selected recovery console to see if it installed ok. It only displayed a bliking cursor in the upper left. After 5 minutes I restarted w/ctrl-alt-del. This time booted up in XP. Since I have ComboFix.exe on my desktop I went ahead and downloaded SP2 as suggested by the combofix tutorial. I dragged it onto the ComboFix.exe icon and nothing happened for a couple of minutes. Task manager indicated that combofix was running but no window appeared. I ended the combofix task.

    Running ComboFix:
    I attempted to run combofix but after a few minutes no window appeared. Task manager indicates ComboFixe.exe is running but nothing happens. I have to manually end it.

    Seems like ComboFix is being blocked from running.

  4. #4
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Rename ComboFix.exe -> ComboFxx.exe and try running again. Let me know if it helps
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default Able to run combofix!

    Renaming the file worked. I first drug SP2 over to combofix to install recovery console then it ran combofix. Came up with a window "...presense of rootkit activity.." then asked to reboot...it did. After I logged back in, before my desktop items came up combofix ran and did it's thing...deleting a few files and completing stages 1-50 then combofix rebooted my pc. Combofix ran and finished the log. See attached.

  6. #6
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Looks like we're making some progress though there's still work ahead.


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Driver::
    "yqweb3i1h1r.sys"
    "TDSSserv.sys"
    
    File::
    c:\windows\system32\drivers\yqweb3i1h1r.sys
    c:\system32\drivers\TDSSmhct.sys
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yqweb3i1h1r.sys]

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Refering to the picture above, drag CFScript into ComboFxx.exe
    Then post the resultant log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.


    Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.


    Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report, a fresh hjt log and above mentioned ComboFix resultant log (paste the contents to your reply without using attachments this time, please ).
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default KAS report, HJT log, ComboFix Log

    Looks like virus got in my Outlook pst files. Hope they can be cleaned rather than having to delete them. Continued thanks for your help!

    *** KAS REPORT ***

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Saturday, December 20, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Friday, December 19, 2008 21:51:12
    Records in database: 1488954
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Files scanned: 97050
    Threat name: 21
    Infected objects: 30
    Suspicious objects: 0
    Duration of the scan: 03:38:28


    File name / Threat name / Threats count
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\011305-072606.pst Infected: Backdoor.IRC.Kangar 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Pcard.c 4
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.cw 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Smitfraud.c 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Citifraud.bz 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.w 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Sunfraud.ax 2
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Paylap.aa 2
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.TCFraud.j 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Smitfraud.a 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.br 3
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Citifraud.cg 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Paylap.bg 3
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Email-Worm.Win32.Sober.i 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.bx 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Email-Worm.Win32.Swen 1
    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\drivers\TDSSmhct.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSShrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSSoiqn.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSSrtqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSSxfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1

    The selected area was scanned.

    *** HJT LOG ***

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:52:55 AM, on 12/20/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\opcenum.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\system32\RioMSC.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Dell\QuickSet\Quickset.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\My Book\WD Backup\uBBMonitor.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://submetersystems.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Copernic Desktop Search - Home - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search - Home\DesktopSearchBand300000081.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [RCHotKey] C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe"
    O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe" /tray
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
    O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.netlibrary.com
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon...ad/tgctlsi.cab
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace01.geextranet.com/qp2.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134442971035
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - http://service.ringcentral.com/Activ...age_Player.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shoc...sh/swflash.cab
    O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - https://service.ringcentral.com/ActiveX/RCAXSetup.cab
    O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
    O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\opcenum.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 9828 bytes

    *** COMBOFIX LOG ***

    ComboFix 08-12-15.03 - Jeff 2008-12-19 15:48:09.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.941 [GMT -8:00]
    Running from: c:\documents and settings\Jeff\Desktop\ComboFxx.exe
    Command switches used :: c:\documents and settings\Jeff\Desktop\cfscript.txt

    FILE ::
    c:\system32\drivers\TDSSmhct.sys
    c:\windows\system32\drivers\yqweb3i1h1r.sys
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\TDSSmhct.sys
    c:\windows\system32\TDSShrsr.dll
    c:\windows\system32\TDSSkkbi.log
    c:\windows\system32\TDSSlxwp.dll
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSoiqn.dll
    c:\windows\system32\TDSSorvd.dat
    c:\windows\system32\TDSSrhyp.log
    c:\windows\system32\TDSSrtqp.dll
    c:\windows\system32\TDSSsihc.dll
    c:\windows\system32\TDSSxfum.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_TDSSSERV.SYS
    -------\Legacy_TDSSSERV.SYS
    -------\Legacy_YQWEB3I1H1R.SYS
    -------\Service_yqweb3i1h1r.sys


    ((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
    .

    2008-12-15 17:48 . 2008-12-17 06:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2008-12-13 23:04 . 2008-12-13 23:04 <DIR> d-------- c:\program files\Trend Micro
    2008-12-13 18:22 . 2008-12-13 18:22 <DIR> d-------- c:\program files\Lavasoft
    2008-12-13 18:22 . 2008-12-13 18:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2008-12-13 18:16 . 2008-12-13 18:16 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
    2008-12-13 10:52 . 2008-12-13 22:17 <DIR> d-------- c:\program files\Opera
    2008-11-28 07:43 . 2008-11-28 07:42 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-18 21:23 --------- d-----w c:\program files\True Read
    2008-12-14 17:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-14 17:33 --------- d-----w c:\program files\Spybot - Search & Destroy
    2008-12-10 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
    2008-11-28 15:42 --------- d-----w c:\program files\Java
    2008-11-27 06:46 --------- d-----w c:\documents and settings\Jeff\Application Data\Move Networks
    2008-11-17 20:54 --------- d-----w c:\program files\Google
    2008-11-17 20:00 --------- d-----w c:\program files\Copernic Desktop Search - Home
    2008-11-13 04:16 --------- d-----w c:\program files\Windows Desktop Search
    2008-11-09 20:19 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-11-09 20:19 --------- d-----w c:\program files\KEPServerEx
    2008-11-09 20:18 --------- d-----w c:\program files\Utility Consumer Demo
    2008-11-09 20:17 --------- d-----w c:\program files\Utility Consumer
    2008-11-05 02:19 --------- d-----w c:\documents and settings\Jeff\Application Data\Windows Search
    2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-21 17:19 376,617 ----a-w c:\program files\ScreenRipper.zip
    2008-10-08 14:50 56,912 ----a-w c:\documents and settings\Jeff\g2mdlhlpx.exe
    2008-10-03 00:18 73,216 ----a-w c:\windows\ST6UNST.EXE
    2008-10-03 00:18 249,856 ------w c:\windows\Setup1.exe
    2006-10-11 08:04 61,036 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
    2006-10-11 08:04 48,742 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
    2006-10-11 08:05 29,313 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
    2006-10-11 08:05 41,082 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
    2006-10-11 08:04 166,510 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
    2008-09-02 14:10 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2008-12-19_13.40.44.05 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-12-19 21:36:55 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    + 2008-12-19 23:34:32 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    - 2008-12-19 21:36:55 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-12-19 23:34:32 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-12-19 21:36:55 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-12-19 23:34:32 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-12-19 21:37:24 230,861 ----a-w c:\windows\SYSTEM32\INETSRV\MetaBase.bin
    + 2008-12-20 00:02:41 230,868 ----a-w c:\windows\SYSTEM32\INETSRV\MetaBase.bin
    + 2008-12-19 23:58:44 16,384 ----atw c:\windows\temp\Perflib_Perfdata_49c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]
    "RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2007-11-06 380928]
    "RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2007-11-06 18944]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "Copernic Desktop Search - Home"="c:\program files\Copernic Desktop Search - Home\DesktopSearchService.exe" [2008-09-18 1698816]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
    "DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-14 86016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-27 98304]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2007-11-06 18944]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-31 185896]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2004-03-04 487424]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 c:\windows\KHALMNPR.Exe]
    "WD Button Manager"="WDBtnMgr.exe" [2007-04-21 c:\windows\SYSTEM32\WDBtnMgr.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-27 24576]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-12-28 450560]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-12-28 581632]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]
    WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-04-21 98304]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\LeechFTP\\Leechftp.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
    "c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
    "c:\\Program Files\\Danware Data\\NetOp Remote Control\\Guest\\NGSTW32.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
    "c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://submetersystems.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = http=
    uInternet Settings,ProxyOverride = localhost
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
    IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
    Trusted Zone: *.netlibrary.com

    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

    c:\windows\system32\RCMedia.dll - O16 -: {CF25C291-E91C-11D3-873F-0000B4A2973D}
    hxxp://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
    c:\windows\Downloaded Program Files\rcmedia.inf

    c:\windows\system32\NPRCAS.dll - O16 -: {EE85A9FD-6E52-4227-BB82-D46A660690EA}
    hxxps://service.ringcentral.com/ActiveX/RCAXSetup.cab
    c:\windows\Downloaded Program Files\RCAXSetup.inf
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-19 15:58:36
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SYSTEM32\WLTRYSVC.EXE
    c:\windows\SYSTEM32\BCMWLTRY.EXE
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\SYSTEM32\INETSRV\inetinfo.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\SYSTEM32\opcenum.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\windows\SYSTEM32\RioMSC.exe
    c:\program files\Logitech\SetPoint\KHALMNPR.exe
    c:\windows\SYSTEM32\igfxsrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-19 16:11:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-12-20 00:10:20
    ComboFix2.txt 2008-12-19 21:42:44

    Pre-Run: 1,245,683,712 bytes free
    Post-Run: 1,228,111,872 bytes free

    184 --- E O F --- 2008-12-18 22:04:16

  8. #8
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Since Kaspersky doesn't list the messages you have to check them separately and delete suspicious looking ones.

    Those in qoobox folder will be deleted when ComboFix is uninstalled. We'll do that after you've deleted the suspicious messages.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Question Confirmation on deleting messages

    When you say "you have to check them separately and delete suspicious looking ones" do you mean you wish to have me delete the following files? I'm ok if that is the case.

    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\011305-072606.pst Infected: Backdoor.IRC.Kangar 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Pcard.c 4
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.cw 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Smitfraud.c 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Citifraud.bz 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.w 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Sunfraud.ax 2
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Paylap.aa 2
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.TCFraud.j 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Smitfraud.a 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.br 3
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Citifraud.cg 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Paylap.bg 3
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Email-Worm.Win32.Sober.i 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Trojan-Spy.HTML.Bankfraud.bx 1
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst Infected: Email-Worm.Win32.Swen 1

  10. #10
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    No. I mean some messages in these post archives are bad ones and should be deleted:
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\011305-072606.pst
    C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Outlook\backup_1-13-05_sav.pst

    Since Kaspersky doesn't list exact messages I can't tell what are the messages exactly. That's why all I can instruct is to ask you delete suspicious looking ones.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •