tdss.rtk problems

[lma127]

First, thanks in advance to whoever can help me.

I try to run Spybot pretty regularly, and for a while now it keeps finding win32.tdss.rtk during scans and appears to be unable to remove them. The only symptom I am seeing is search engines like Google and Bing redirecting me to shopping sites and the like.

I have followed all instructions in the "before you post" topics, backed up my registry, and produced a log.

I have not attempted to "fix" anything beyond using Spybot and Antivir after scans. Neither of these programs has gotten the job done. I'm very afraid of messing up my computer so I've avoided going any deeper than that without expert help.

Thanks again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:37 PM, on 7/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: 802.11b+g USB Wireless LAN Utility.lnk = C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125256495346
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151970618734
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

--
End of file - 6302 bytes

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions.

It Appears AntiVir PersonalEdition Classic is your antivirus program of choice. Any reason why you still have this McAfee program running?
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
If not: McAfee Consumer Products Removal tool
http://www.majorgeeks.com/McAfee_Con...ool_d5420.html

tdss.rtk <<< usually evidence of a rootkit infection.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

When the tool is finished, it will produce a report for you. Post that report and a new HJT log

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

Thanks

[lma127]

Hi,
Thanks for your help.

The McAfee stuff is left over from a long, long time ago when my university demanded I install it in order to use the campus network. I have tried uninstalling it using the provided uninstaller and also using Revo uninstaller but it just overrides me for some reason. The same thing happened with the tool provided, I don't know what else to do about it.

Also, while running Combofix (after rebooting) Antivir seemed to kick back on even after I had disabled it (indicated by the little closed umbrella in the system tray) and I'm worried it interfered with the scan. Should I run it (Combofix) again? and if so, how do I make sure Antivir doesn't automatically start up again upon reboots while the tool is working? Please advise.

In the meantime, here are the logs requested:
ComboFix 09-07-21.03 - Lucia Alonzo 07/22/2009 7:32.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.732 [GMT -6:00]
Running from: c:\documents and settings\Lucia Alonzo\My Documents\Downloads\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\command
c:\windows\desktop
c:\windows\Installer\28f83.msi
c:\windows\system32\Drivers\axrskjs.sys
c:\windows\system32\drivers\SKYNETkayxckkd.sys
c:\windows\system32\kungsfayrmnuon.dat
c:\windows\system32\kungsflog.dat
c:\windows\system32\SKYNETmsfnliyv.dll
c:\windows\system32\SKYNETnrbabrnl.dat
c:\windows\system32\SKYNETpxmmldxb.dll
c:\windows\system32\SKYNETvmyguubf.dat
c:\windows\system32\test.ttt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETdqpqjcvv


((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-21 21:30 . 2009-07-21 21:30 -------- d-----w- c:\program files\Trend Micro
2009-07-21 21:27 . 2009-07-21 21:27 -------- d-----w- c:\program files\ERUNT
2009-07-15 02:20 . 2009-07-15 02:33 -------- d-----w- c:\program files\iTunes
2009-07-14 13:25 . 2009-07-14 13:25 -------- d-----w- c:\program files\Bonjour
2009-07-07 15:51 . 2009-07-16 06:33 -------- d-----w- c:\documents and settings\Lucia Alonzo\Application Data\vlc
2009-06-29 13:54 . 2009-06-29 13:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 21:24 . 2008-09-18 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-15 02:24 . 2005-01-18 02:36 -------- d-----w- c:\program files\iPod
2009-07-15 02:22 . 2008-03-18 14:44 -------- d-----w- c:\program files\Common Files\Apple
2009-07-15 02:07 . 2009-04-03 15:47 -------- d-----w- c:\program files\QuickTime
2009-06-24 04:42 . 2008-09-23 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 04:41 . 2008-09-23 17:01 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 17:27 . 2008-09-23 16:58 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 17:27 . 2008-09-23 16:58 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 19:57 . 2009-06-05 19:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2003-03-31 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 20:04 . 2009-06-02 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:54 . 2009-01-31 22:50 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-04-28 16:58 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-22 18:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2004-08-19 07:33 . 2004-08-19 07:33 11079 ---ha-w- c:\program files\folder.htt
2009-07-19 03:58 . 2008-09-14 23:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
802.11b+g USB Wireless LAN Utility.lnk - c:\program files\WLAN\802.11b+g USB WLAN\ZDWlan.exe [2008-12-27 430080]
Configuration & Monitor Utility.lnk - c:\program files\802.11 Wireless LAN\WlanMonitor.exe [2006-7-3 446464]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 USB Wireless USB Adapter(R);USB Wireless USB Adapter(R) Service for Wireless USB Adapter;c:\windows\SYSTEM32\DRIVERS\vnetusbr.sys [7/3/2006 7:09 PM 100736]
R3 USBNDIS5;USBNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\USBNDIS5.sys [7/3/2006 5:35 PM 17920]
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\SYSTEM32\DRIVERS\DLKRTS.SYS [8/22/2004 3:24 PM 45568]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [3/12/2008 8:57 AM 248320]
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://d:\content\include\XPPatchInstaller.CAB
FF - ProfilePath - c:\documents and settings\Lucia Alonzo\Application Data\Mozilla\Firefox\Profiles\7kfs7lmm.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 07:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-07-22 7:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 13:46
ComboFix2.txt 2008-09-25 15:01
ComboFix3.txt 2008-09-22 16:27

Pre-Run: 37,822,765,568 bytes free
Post-Run: 37,932,843,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

183 --- E O F --- 2009-07-16 06:35
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:17 AM, on 7/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 802.11b+g USB Wireless LAN Utility.lnk = C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125256495346
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151970618734
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

--
End of file - 5753 bytes


7-Zip 4.65
802.11b Wireless LAN
802.11b+g USB Wireless LAN Adapter
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Reader Japanese Fonts
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
CDisplay 1.8
ERUNT 1.1j
GPL MPEG-1/2 DirectShow Decoder Filter
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP DeskJet 610C Series (Remove only)
iPod for Windows 2006-03-23
iPod for Windows User Guide
iPod System Software Updater 2.0.1
iTunes
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Mozilla Firefox (3.5.1)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
QuickTime
Revo Uninstaller 1.83
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Skype™ 3.8
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Rhine-Family Fast Ethernet Adapter
VLC media player 1.0.0
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3

[pskelley]

It looks like combofix ran ok, but I need to be sure. You must read and follow the directions carefully.

Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop. An image showing this is below.

Here is where you saved it??
c:\documents and settings\Lucia Alonzo\My Documents\Downloads\ComboFix.exe

Please right click the icon and delete combofix. Download it to the DESKTOP as in the screenshot in the tutorial, and run it again, then post that log.
I do not need another HijackThis log, just the log with combofix running from the DESKTOP.


I will post the results from the uninstall list for you now.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 9 ActiveX <<< out of date and unsafe:
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/securit...apsb09-01.html

Adobe Reader 7.0.9 <<< out of date and unsafe:
http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04...der_issue.html
http://www.adobe.com/support/securit...apsb09-07.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 3.0 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) 6 Update 7 <<< out of date and unsafe:
http://forums.spybot.info/showpost.p...80&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsof...java-15413.php

Thanks

[lma127]

Thanks for the quick reply. Hopefully all went right this time. Here is the log:
ComboFix 09-07-21.05 - Lucia Alonzo 07/22/2009 10:37.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.716 [GMT -6:00]
Running from: c:\documents and settings\Lucia Alonzo\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lucia Alonzo\Local Settings\Application Data\{1C3E6E7F-8D28-4062-AA44-572A1D601054}
c:\documents and settings\Lucia Alonzo\Local Settings\Application Data\{1C3E6E7F-8D28-4062-AA44-572A1D601054}\chrome\content\_cfg.js
c:\documents and settings\Lucia Alonzo\Local Settings\Application Data\{1C3E6E7F-8D28-4062-AA44-572A1D601054}\chrome\content\c.js
c:\documents and settings\Lucia Alonzo\Local Settings\Application Data\{1C3E6E7F-8D28-4062-AA44-572A1D601054}\chrome\content\overlay.xul
c:\documents and settings\Lucia Alonzo\Local Settings\Application Data\{1C3E6E7F-8D28-4062-AA44-572A1D601054}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-21 21:30 . 2009-07-21 21:30 -------- d-----w- c:\program files\Trend Micro
2009-07-21 21:27 . 2009-07-21 21:27 -------- d-----w- c:\program files\ERUNT
2009-07-15 02:20 . 2009-07-15 02:33 -------- d-----w- c:\program files\iTunes
2009-07-14 13:25 . 2009-07-14 13:25 -------- d-----w- c:\program files\Bonjour
2009-07-07 15:51 . 2009-07-16 06:33 -------- d-----w- c:\documents and settings\Lucia Alonzo\Application Data\vlc
2009-06-29 13:54 . 2009-06-29 13:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 16:32 . 2004-08-24 00:32 -------- d-----w- c:\documents and settings\Lucia Alonzo\Application Data\MSN6
2009-07-21 21:24 . 2008-09-18 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-15 02:24 . 2005-01-18 02:36 -------- d-----w- c:\program files\iPod
2009-07-15 02:22 . 2008-03-18 14:44 -------- d-----w- c:\program files\Common Files\Apple
2009-07-15 02:07 . 2009-04-03 15:47 -------- d-----w- c:\program files\QuickTime
2009-06-24 04:42 . 2008-09-23 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 04:41 . 2008-09-23 17:01 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 17:27 . 2008-09-23 16:58 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 17:27 . 2008-09-23 16:58 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 19:57 . 2009-06-05 19:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2003-03-31 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 20:04 . 2009-06-02 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:54 . 2009-01-31 22:50 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-04-28 16:58 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-22 18:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2004-08-19 07:33 . 2004-08-19 07:33 11079 ---ha-w- c:\program files\folder.htt
2009-07-19 03:58 . 2008-09-14 23:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
802.11b+g USB Wireless LAN Utility.lnk - c:\program files\WLAN\802.11b+g USB WLAN\ZDWlan.exe [2008-12-27 430080]
Configuration & Monitor Utility.lnk - c:\program files\802.11 Wireless LAN\WlanMonitor.exe [2006-7-3 446464]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 USB Wireless USB Adapter(R);USB Wireless USB Adapter(R) Service for Wireless USB Adapter;c:\windows\SYSTEM32\DRIVERS\vnetusbr.sys [7/3/2006 7:09 PM 100736]
R3 USBNDIS5;USBNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\USBNDIS5.sys [7/3/2006 5:35 PM 17920]
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\SYSTEM32\DRIVERS\DLKRTS.SYS [8/22/2004 3:24 PM 45568]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [3/12/2008 8:57 AM 248320]
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://d:\content\include\XPPatchInstaller.CAB
FF - ProfilePath - c:\documents and settings\Lucia Alonzo\Application Data\Mozilla\Firefox\Profiles\7kfs7lmm.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 10:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-22 10:44
ComboFix-quarantined-files.txt 2009-07-22 16:43
ComboFix2.txt 2009-07-22 13:47
ComboFix3.txt 2008-09-25 15:01
ComboFix4.txt 2008-09-22 16:27

Pre-Run: 37,958,984,192 bytes free
Post-Run: 37,935,609,344 bytes free

154 --- E O F --- 2009-07-16 06:35


I'll get started on your list as well.

Thanks for everything, I appreciate it very much.

[pskelley]

Let's see if we can manually remove the McAfee program and do some cleaning like this:

1) Open Task Manager and on the Processes tab End Process on:
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
http://vlaurie.com/computers2/Articles/taskman.htm

2) To be sure >>> Disable the Service
Click Start > Run and type services.msc
Scroll down to McAfee Framework Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/art...efetch-XP.html

(If you still have Malwarebytes' Anti-Malware (MBAM) on board, no need to download, but be sure to update the program and run it as instructed)

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://thespykiller.co.uk/index.php/topic,5946.0.html

How is the computer running now?

Thanks

[lma127]

Right now I find that searches don't redirect to shopping sites and the like any longer. That was the only symptom I ever saw beyond detections in Spybot. Hopefully, that means the problem is fixed.

However, I am still unable to remove the McCafee remnants. I went into Services and attempted to disable it on startup as instructed, but I see an error message reading "Unable to open service McAfeeFramework for writing on Local Computer. Error 5: Access is denied." I don't get that-- there are no other user profiles or such on my PC-- who exactly is it supposed to deny access to?

Malawarebytes is still scanning. Assuming that all turns out well and the PC is clean, what should I do to finish things up? Spybot's Teatimer needs to be turned back on, right? Should I run that also just to be sure after MAB is finished? Antivir is already back on. Something else I'm not thinking of? Also, in the interest of prevention (and besides updating the software you've already advised me of) should I change anything else? Is Antivir a good program or do you recommend something else?

Thanks for giving me such clear and concise help in fixing my computer. It's really wonderful that you do this for people.

[pskelley]

Thanks you for the feedback, do not enabled TeaTimer until we finish. We will use a script in combofix to remove McAfee later. My advice is to stay offline except when you must be online to work on these instructions.

Post the scan results from MBAM when you have them. I will try to answer all of your questions before I close the thread.

Thanks...Phil

[lma127]

Hi,
Something interesting happened during the scan: MAB found no problems, however, Antivir kept popping up with detections as MAB scanned the computer. Here is the MAB log:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/22/2009 4:02:17 PM
mbam-log-2009-07-22 (16-02-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 135807
Time elapsed: 46 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is a log of the Antivir detections during that same time:
Exported events:

7/22/2009 15:58 [Guard] Malware found
Virus or unwanted program 'TR/VB.65536.G [trojan]'
detected in file 'C:\WINDOWS\$NtServicePackUninstall$\wextract.exe.
Action performed: Move file to quarantine

7/22/2009 15:57 [Guard] Malware found
Virus or unwanted program 'TR/VB.256512 [trojan]'
detected in file 'C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe.
Action performed: Move file to quarantine

7/22/2009 15:55 [Guard] Malware found
Virus or unwanted program 'TR/VB.214528 [trojan]'
detected in file 'C:\WINDOWS\$NtServicePackUninstall$\icwconn1.exe.
Action performed: Move file to quarantine

7/22/2009 15:35 [Guard] Malware found
Virus or unwanted program 'TR/Small.cad [trojan]'
detected in file 'C:\System Volume
Information\_restore{7D41D114-C8B0-4C1F-A483-2DFA1C352747}\RP620\A0058437.dll.
Action performed: Move file to quarantine

7/22/2009 15:34 [Guard] Malware found
Virus or unwanted program 'TR/Monder.cpxu [trojan]'
detected in file 'C:\System Volume
Information\_restore{7D41D114-C8B0-4C1F-A483-2DFA1C352747}\RP620\A0058436.dll.
Action performed: Move file to quarantine

7/22/2009 15:34 [Guard] Malware found
Virus or unwanted program 'RKIT/TDss.Q.2 [trojan]'
detected in file 'C:\System Volume
Information\_restore{7D41D114-C8B0-4C1F-A483-2DFA1C352747}\RP620\A0058435.sys.
Action performed: Move file to quarantine

7/22/2009 15:32 [Guard] Malware found
Virus or unwanted program 'RKIT/TDss.Q.2 [trojan]'
detected in file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETkayxckkd.sys.vir.
Action performed: Move file to quarantine

7/22/2009 15:32 [Guard] Malware found
Virus or unwanted program 'TR/Monder.cpxu [trojan]'
detected in file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpxmmldxb.dll.vir.
Action performed: Move file to quarantine

7/22/2009 15:32 [Guard] Malware found
Virus or unwanted program 'TR/Small.cad [trojan]'
detected in file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETmsfnliyv.dll.vir.
Action performed: Move file to quarantine

7/22/2009 15:32 [Guard] Malware found
Virus or unwanted program 'HTML/Crypted.Gen [virus]'
detected in file 'C:\Qoobox\Quarantine\C\Documents and Settings\Lucia
Alonzo\Local Settings\Application
Data\{1C3E6E7F-8D28-4062-AA44-572A1D601054}\chrome\content\c.js.vir.
Action performed: Move file to quarantine

7/22/2009 15:18 [Guard] Malware found
Virus or unwanted program 'GEN/PwdZIP [heuristic]'
detected in file 'C:\Documents and Settings\All Users\Application Data\Spybot -
Search & Destroy\Recovery\DNSFlushcws6.zip.
Action performed: Move file to quarantine

7/22/2009 15:18 [Guard] Malware found
Virus or unwanted program 'GEN/PwdZIP [heuristic]'
detected in file 'C:\Documents and Settings\All Users\Application Data\Spybot -
Search & Destroy\Recovery\DNSFlushcws4.zip.
Action performed: Move file to quarantine

7/22/2009 15:18 [Guard] Malware found
Virus or unwanted program 'GEN/PwdZIP [heuristic]'
detected in file 'C:\Documents and Settings\All Users\Application Data\Spybot -
Search & Destroy\Recovery\DNSFlushcws27.zip.
Action performed: Move file to quarantine

7/22/2009 15:18 [Guard] Malware found
Virus or unwanted program 'GEN/PwdZIP [heuristic]'
detected in file 'C:\Documents and Settings\All Users\Application Data\Spybot -
Search & Destroy\Recovery\DNSFlushcws21.zip.
Action performed: Move file to quarantine

7/22/2009 15:18 [Guard] Malware found
Virus or unwanted program 'GEN/PwdZIP [heuristic]'
detected in file 'C:\Documents and Settings\All Users\Application Data\Spybot -
Search & Destroy\Recovery\DNSFlushcws1.zip.
Action performed: Move file to quarantine

Do you have any thoughts on this? Thanks

[pskelley]

That's why it is best to turn of the antivirus programs when you are running a scan. Most of that is in the combofix quarantine, infected System Restore files and Spybot "Recovery" We will resolve those issues before we finish and run Antivir again to make sure nothing is left.

Open Spybot S&D then click the "Recovery" button, then Purge everything in there.

Let's see if we can remove McAfee like this, follow the directions carefully.

Open notepad and copy/paste the text in the codebox below into it:

Code:

Folder::
C:\Program Files\McAfee

Save this as CFScript



Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), then post the contents of the CFScript.txt.

Thanks