*HELP PLEASE* Live messenger closing on sign in, Chrome not opening, Redirect issues

**Hastify** · 2011-03-28, 19:47

Hi,

I am having several problems. Firstly, it started off with the common redirect issue. I type something into google and I am redirected to "fastsearch". Although recently, when I click the google chrome icon - it does not launch and when I enter ANY password (correct/incorrect) and sign in to Windows Live Messenger - the program immediately closes.

I have since resintalled google chrome and the problem still persists. I uninstalled windows live messenger but now I cannot reinstall it for some reason half way through the setup, the setup box disappears.

I'm assuming this could be because windows live is a microsoft product - a website which I CANNOT access. (microsoft.com)

Could someone help me with this, I will follow each step as you suggest, thanks alot.

**shelf life** · 2011-03-29, 23:36

hi,

Iam going to 'guess' on this. we will get two downloads for you to use, the first hopefully will take care of the redirection, the second will just show some information;

1) Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might require after disinfection."
A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)
Please post the log report

2) Please download DDS and save it to your desktop.
Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Please Copy/paste both logs in your reply.

**Hastify** · 2011-03-31, 23:55

Thanks for the quick reply.

It seems as if the malware has blocked both of those links. I get this message in IE when clicking them;

Internet Explorer cannot display the webpage

What you can try:
Diagnose Connection Problems

More information

Any suggestions? Thanks again.

**shelf life** · 2011-04-01, 03:07

It seems as if the malware has blocked both of those links.

So you can get to other sites ok? Like here?
Could you download TDSSkiller on another computer like on a usb flash drive and transfer the file that way?

Iam assuming you have a certain type of malware that this (TDSSkiller) would take care of, but its possible you dont have it but may just have a modified host file.

you can also try these two links to get the other downloads and run them:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

This one requires you read a guide first. Read through the guide then apply the directions on your own machine. Post the combofix log.

Guide to using Combofix

**Hastify** · 2011-04-05, 21:08

I download all the programs as you said.

TDSSkiller found nothing.

---------------------

MalwareBytes log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6259

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/04/2011 19:59:56
mbam-log-2011-04-06 (19-59-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 320304
Time elapsed: 2 hour(s), 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 33
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 9
Files Infected: 47

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\nmklo.dll (Worm.Mariofev) -> No action taken.
c:\documents and settings\all users\application data\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.
c:\WINDOWS\system32\gvqrn4.dll (Password.Stealer) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (Trojan.Proxy) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3C4FFAAE-04BA-494A-9099-D1C744272AAD} (Password.Stealer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3C4FFAAE-04BA-494A-9099-D1C744272AAD} (Password.Stealer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CB59D0C-4A96-4FC5-B8BD-29AF4A0EE3E2} (Password.Stealer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1602F07D-8BF3-4c08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{C55CA95C-324B-451C-B2D2-6E895AA75FEC} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info.1 (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{419EDA30-6DFF-432C-B534-E15D899ABEE4} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClickPotatoLiteSA (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> No action taken.
HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (Trojan.Proxy) -> Value: {96AFBE69-C3B0-4B00-8578-D933D2896EE2} -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4b00-8578-D933D2896EE2} -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\COMMON FILES\SPIGOT\WTXPCOM\COMPONENTS\WIDGITOOLBARFF.DLL (Adware.WidgiToolbar) -> Value: WIDGITOOLBARFF.DLL -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Value: netsvc -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
c:\documents and settings\all users\application data\clickpotatolitesa (Adware.ClickPotato) -> No action taken.
c:\documents and settings\User\application data\clickpotatolite (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0 (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato (Adware.ClickPotato) -> No action taken.

Files Infected:
c:\WINDOWS\system32\nmklo.dll (Worm.Mariofev) -> No action taken.
c:\documents and settings\all users\application data\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.
c:\WINDOWS\system32\gvqrn4.dll (Password.Stealer) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesaax.dll (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesabho.dll (Adware.ClickPotato) -> No action taken.
c:\documents and settings\KK\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\User\local settings\Temp\miu187.tmp.exe (Backdoor.Bot) -> No action taken.
c:\documents and settings\User\local settings\Temp\miu1b5.tmp.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\User\my documents\downloads\xvidsetup (1).exe (Adware.Hotbar) -> No action taken.
c:\documents and settings\User\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> No action taken.
c:\program files\adobephotoshopcs3\adobe_photoshop_cs3\Msvcrt.dll (Malware.Packer.Gen) -> No action taken.
c:\program files\adobephotoshopcs3\adobe_photoshop_cs3\Shfolder.dll (Malware.Packer.Gen) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesa.exe (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatolitesahook.dll (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\clickpotatoliteuninstaller.exe (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins\npclntax_clickpotatolitesa.dll (Adware.ClickPotato) -> No action taken.
c:\program files\common files\Spigot\wtxpcom\components\widgitoolbarff.dll (Adware.WidgiToolbar) -> No action taken.
c:\program files\mozilla firefox\plugins\npclntax_clickpotatolitesa.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203659.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203660.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203661.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203662.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203663.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0203664.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0204446.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207358.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207359.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207360.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207361.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207362.exe (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0207363.dll (Adware.ClickPotato) -> No action taken.
c:\system volume information\_restore{94070a64-28b0-403e-9687-bf708ea2972a}\RP315\A0208147.dll (Adware.ClickPotato) -> No action taken.
c:\WINDOWS\system32\cooper.mine (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\h7t.wt (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\hgtd.ruy (Malware.Trace) -> No action taken.
c:\documents and settings\User\local settings\Temp\utt218.tmp.exe (Trojan.Pakes) -> No action taken.
c:\WINDOWS\system32\bilmux2.dll (Password.Stealer) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaabout.mht (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaau.dat (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaeula.mht (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa_hpk.dat (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa_kyf_update.dat (Adware.ClickPotato) -> No action taken.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato\About Us.lnk (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato\clickpotato customer support.lnk (Adware.ClickPotato) -> No action taken.
c:\documents and settings\all users\start menu\Programs\clickpotato\clickpotato uninstall instructions.lnk (Adware.ClickPotato) -> No action taken.

DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 17:41:51.17 on 06/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.459 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NCH Software\BroadCam\broadcam.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\yoeecjes\huvqmjng.exe
BHO: Internet Explorer Plugin: {0cb59d0c-4a96-4fc5-b8bd-29af4a0ee3e2} - gvqrn4.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.3\youtubedownloaderToolbarIE.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.3\youtubedownloaderToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\user\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\clickpotatolite\bin\10.0.630.0\ClickPotatoLiteSABHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {3C4FFAAE-04BA-494A-9099-D1C744272AAD} - rundll32 gvqrn4.dll,laspi
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ywwca10i.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: ClickPotatoLite Component: ClickPotatoLite@ClickPotatoLite.com - c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.
============= SERVICES / DRIVERS ===============
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-28 33824]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-1-28 387072]
R2 BroadCamService;BroadCam Video Streaming Server;c:\program files\nch software\broadcam\broadcam.exe [2011-1-26 1175556]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-7 20968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-10 14336]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2010-2-26 808448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-26 135664]
S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2010-2-26 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-14 34448]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2011-04-04 21:08:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:08:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-01 17:42:58 16856 ------w- c:\program files\mozilla firefox\plugin-container.exe
2011-04-01 17:42:53 719832 ------w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-29 17:25:16 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Deployment
.
==================== Find3M ====================
.
2011-02-18 15:35:11 38400 ----a-w- c:\windows\system32\bilmux2.dll
2011-02-05 19:12:00 38400 ----a-w- c:\windows\system32\gvqrn4.dll
2011-02-04 17:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 17:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-06-02 04:22:02 89944 ----a-w- c:\program files\DSETUP.dll
2010-06-02 04:22:02 537432 ----a-w- c:\program files\DXSETUP.exe
2010-06-02 04:22:02 1801048 ----a-w- c:\program files\dsetup32.dll
.
============= FINISH: 17:43:00.84 ===============

Thanks again.

**shelf life** · 2011-04-06, 02:59

After you ran Malwarebytes did you reboot your computer?

"When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*"

I dont see a resident antivirus. do you have a updated AV installed on your machine?

**Hastify** · 2011-04-06, 17:30

That's right. I do not have any AV.

I removed the selected and restarted my computer. As of yet, nothing seems to have changed. Is this expected?

Thanks.

**shelf life** · 2011-04-06, 23:07

You need to get a AV app installed. These below are free or have free versions. download install, update and do a full scan with one of them:
How long have you been without AV? Its probably a good idea to use this computer as little as possible until we are sure its clean.

Avast
MS security essentials
Avira

I removed the selected and restarted my computer. As of yet, nothing seems to have changed. Is this expected?

Are you still getting re-directed?
If the malware was successfully removed by malwarebytes the first time and you reran malwarebytes the same items shouldnt show up again after the scan is done. Re run malwarebytes after you check for updates then do a full scan again. The results should be different or empty.

We will also get another download to use. There is a guide to read first, read through the guide then apply the directions on your own machine. Post the combofix log.

Guide to using Combofix

So:
install and scan with AV
Re-run malwarebytes and check the results
read the combofix guide, then download and run combofix

**Hastify** · 2011-04-09, 00:04

I have been without AV for about a month.

I am still getting redirected, yes. It seems malwarebytes hasn't changed much and I have also tried hitmanpro but that has the same results it seems.

Here is the ComboFix log you requested;

ComboFix 11-04-08.01 - User 09/04/2011 22:39:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.552 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Cfix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Local Settings\Temporary Internet Files\bmp2CE.tmp
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Internet Explorer\IEXPLOREmgr.exe
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\lpe.txt
c:\windows\system32\qks.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
.
.
2011-04-09 21:20 . 2011-04-09 21:20 -------- d-----w- c:\program files\yoeecjes
2011-04-09 20:56 . 2011-04-09 21:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-09 20:56 . 2011-04-09 20:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-09 20:56 . 2011-04-09 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-04 21:08 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:08 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-01 17:42 . 2011-04-01 19:41 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-01 17:42 . 2011-04-01 19:41 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-29 17:25 . 2011-03-29 17:25 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Deployment
2011-03-27 01:08 . 2011-03-27 01:08 -------- d-sh--w- c:\documents and settings\KK\IECompatCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 17:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 17:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-02-26 11:58 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-26 11:58 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-06-02 04:22 . 2010-06-02 04:22 89944 ----a-w- c:\program files\DSETUP.dll
2010-06-02 04:22 . 2010-06-02 04:22 537432 ----a-w- c:\program files\DXSETUP.exe
2010-06-02 04:22 . 2010-06-02 04:22 1801048 ----a-w- c:\program files\dsetup32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-26 39408]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-26 135664]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-03-05 323392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-27 7561216]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58859:TCP"= 58859:TCP:Pando Media Booster
"58859:UDP"= 58859:UDP:Pando Media Booster
"5999:TCP"= 5999:TCP:spport
"8562:TCP"= 8562:TCP:spport
"12819:TCP"= 12819:TCP:spport
"25417:TCP"= 25417:TCP:spport
"21058:TCP"= 21058:TCP:spport
"27995:TCP"= 27995:TCP:spport
"5195:TCP"= 5195:TCP:spport
"29997:TCP"= 29997:TCP:spport
"28562:TCP"= 28562:TCP:spport
"13059:TCP"= 13059:TCP:spport
"13507:TCP"= 13507:TCP:spport
"10563:TCP"= 10563:TCP:spport
"25441:TCP"= 25441:TCP:spport
"17679:TCP"= 17679:TCP:spport
"29155:TCP"= 29155:TCP:spport
"20909:TCP"= 20909:TCP:spport
"13433:TCP"= 13433:TCP:spport
"20846:TCP"= 20846:TCP:spport
"9239:TCP"= 9239:TCP:spport
"11116:TCP"= 11116:TCP:spport
"22694:TCP"= 22694:TCP:spport
"20990:TCP"= 20990:TCP:spport
"5869:TCP"= 5869:TCP:spport
"24683:TCP"= 24683:TCP:spport
"8216:TCP"= 8216:TCP:spport
"5194:TCP"= 5194:TCP:spport
"8704:TCP"= 8704:TCP:spport
"5035:TCP"= 5035:TCP:spport
"22346:TCP"= 22346:TCP:spport
"16172:TCP"= 16172:TCP:spport
"15574:TCP"= 15574:TCP:spport
"18529:TCP"= 18529:TCP:spport
"27291:TCP"= 27291:TCP:spport
"21618:TCP"= 21618:TCP:spport
"29012:TCP"= 29012:TCP:spport
"26198:TCP"= 26198:TCP:spport
"7229:TCP"= 7229:TCP:spport
"11424:TCP"= 11424:TCP:spport
"27445:TCP"= 27445:TCP:spport
"13134:TCP"= 13134:TCP:spport
"6308:TCP"= 6308:TCP:spport
"18882:TCP"= 18882:TCP:spport
"12432:TCP"= 12432:TCP:spport
"12680:TCP"= 12680:TCP:spport
"8616:TCP"= 8616:TCP:spport
"7871:TCP"= 7871:TCP:spport
"29709:TCP"= 29709:TCP:spport
"7674:TCP"= 7674:TCP:spport
"6436:TCP"= 6436:TCP:spport
"27284:TCP"= 27284:TCP:spport
"23024:TCP"= 23024:TCP:spport
"10484:TCP"= 10484:TCP:spport
"17685:TCP"= 17685:TCP:spport
"13607:TCP"= 13607:TCP:spport
"7536:TCP"= 7536:TCP:spport
"19491:TCP"= 19491:TCP:spport
"27989:TCP"= 27989:TCP:spport
"28319:TCP"= 28319:TCP:spport
"6263:TCP"= 6263:TCP:spport
"14710:TCP"= 14710:TCP:spport
"12462:TCP"= 12462:TCP:spport
"12969:TCP"= 12969:TCP:spport
"27448:TCP"= 27448:TCP:spport
"8235:TCP"= 8235:TCP:spport
"7797:TCP"= 7797:TCP:spport
"11819:TCP"= 11819:TCP:spport
"7133:TCP"= 7133:TCP:spport
"25617:TCP"= 25617:TCP:spport
"26215:TCP"= 26215:TCP:spport
"18553:TCP"= 18553:TCP:spport
"6163:TCP"= 6163:TCP:spport
"27647:TCP"= 27647:TCP:spport
"11022:TCP"= 11022:TCP:spport
"23908:TCP"= 23908:TCP:spport
"29434:TCP"= 29434:TCP:spport
"17794:TCP"= 17794:TCP:spport
"26381:TCP"= 26381:TCP:spport
"26511:TCP"= 26511:TCP:spport
"26494:TCP"= 26494:TCP:spport
"22845:TCP"= 22845:TCP:spport
"16513:TCP"= 16513:TCP:spport
"6877:TCP"= 6877:TCP:spport
"19389:TCP"= 19389:TCP:spport
"27675:TCP"= 27675:TCP:spport
"18773:TCP"= 18773:TCP:spport
"23791:TCP"= 23791:TCP:spport
"8144:TCP"= 8144:TCP:spport
"12068:TCP"= 12068:TCP:spport
"16651:TCP"= 16651:TCP:spport
"12666:TCP"= 12666:TCP:spport
"29930:TCP"= 29930:TCP:spport
"22213:TCP"= 22213:TCP:spport
"5493:TCP"= 5493:TCP:spport
"5713:TCP"= 5713:TCP:spport
"20743:TCP"= 20743:TCP:spport
"27340:TCP"= 27340:TCP:spport
"21621:TCP"= 21621:TCP:spport
"20314:TCP"= 20314:TCP:spport
"10790:TCP"= 10790:TCP:spport
"13497:TCP"= 13497:TCP:spport
"23469:TCP"= 23469:TCP:spport
"22537:TCP"= 22537:TCP:spport
"10894:TCP"= 10894:TCP:spport
"29977:TCP"= 29977:TCP:spport
"21930:TCP"= 21930:TCP:spport
"29051:TCP"= 29051:TCP:spport
"23231:TCP"= 23231:TCP:spport
"17186:TCP"= 17186:TCP:spport
"28014:TCP"= 28014:TCP:spport
"25535:TCP"= 25535:TCP:spport
"12833:TCP"= 12833:TCP:spport
"16301:TCP"= 16301:TCP:spport
"8843:TCP"= 8843:TCP:spport
"6989:TCP"= 6989:TCP:spport
"14627:TCP"= 14627:TCP:spport
"19375:TCP"= 19375:TCP:spport
"5347:TCP"= 5347:TCP:spport
"9168:TCP"= 9168:TCP:spport
"21469:TCP"= 21469:TCP:spport
"16190:TCP"= 16190:TCP:spport
"27366:TCP"= 27366:TCP:spport
"25189:TCP"= 25189:TCP:spport
"13418:TCP"= 13418:TCP:spport
"24509:TCP"= 24509:TCP:spport
"8211:TCP"= 8211:TCP:spport
"6444:TCP"= 6444:TCP:spport
"28903:TCP"= 28903:TCP:spport
"23250:TCP"= 23250:TCP:spport
"7086:TCP"= 7086:TCP:spport
"8561:TCP"= 8561:TCP:spport
"16612:TCP"= 16612:TCP:spport
"25271:TCP"= 25271:TCP:spport
"24603:TCP"= 24603:TCP:spport
"20077:TCP"= 20077:TCP:spport
"24969:TCP"= 24969:TCP:spport
"7204:TCP"= 7204:TCP:spport
"23382:TCP"= 23382:TCP:spport
"25385:TCP"= 25385:TCP:spport
"20451:TCP"= 20451:TCP:spport
"18734:TCP"= 18734:TCP:spport
"10941:TCP"= 10941:TCP:spport
"25504:TCP"= 25504:TCP:spport
"29292:TCP"= 29292:TCP:spport
"15855:TCP"= 15855:TCP:spport
"26189:TCP"= 26189:TCP:spport
"26775:TCP"= 26775:TCP:spport
"15154:TCP"= 15154:TCP:spport
"10486:TCP"= 10486:TCP:spport
"27146:TCP"= 27146:TCP:spport
"27384:TCP"= 27384:TCP:spport
"9551:TCP"= 9551:TCP:spport
"28516:TCP"= 28516:TCP:spport
"9241:TCP"= 9241:TCP:spport
"24107:TCP"= 24107:TCP:spport
"7783:TCP"= 7783:TCP:spport
"26653:TCP"= 26653:TCP:spport
"26010:TCP"= 26010:TCP:spport
"10129:TCP"= 10129:TCP:spport
"12619:TCP"= 12619:TCP:spport
"11960:TCP"= 11960:TCP:spport
"10458:TCP"= 10458:TCP:spport
"28462:TCP"= 28462:TCP:spport
"27884:TCP"= 27884:TCP:spport
"22776:TCP"= 22776:TCP:spport
"17559:TCP"= 17559:TCP:spport
"7848:TCP"= 7848:TCP:spport
"25230:TCP"= 25230:TCP:spport
"27033:TCP"= 27033:TCP:spport
"21615:TCP"= 21615:TCP:spport
"24579:TCP"= 24579:TCP:spport
"6548:TCP"= 6548:TCP:spport
"13666:TCP"= 13666:TCP:spport
"29128:TCP"= 29128:TCP:spport
"29225:TCP"= 29225:TCP:spport
"10449:TCP"= 10449:TCP:spport
"9622:TCP"= 9622:TCP:spport
"16202:TCP"= 16202:TCP:spport
"29486:TCP"= 29486:TCP:spport
"13348:TCP"= 13348:TCP:spport
"10803:TCP"= 10803:TCP:spport
"11881:TCP"= 11881:TCP:spport
"17663:TCP"= 17663:TCP:spport
"13534:TCP"= 13534:TCP:spport
"16691:TCP"= 16691:TCP:spport
"17112:TCP"= 17112:TCP:spport
"25967:TCP"= 25967:TCP:spport
"28881:TCP"= 28881:TCP:spport
"18578:TCP"= 18578:TCP:spport
"19506:TCP"= 19506:TCP:spport
"12842:TCP"= 12842:TCP:spport
"13761:TCP"= 13761:TCP:spport
"15477:TCP"= 15477:TCP:spport
"8948:TCP"= 8948:TCP:spport
"19301:TCP"= 19301:TCP:spport
"21929:TCP"= 21929:TCP:spport
"29098:TCP"= 29098:TCP:spport
"16121:TCP"= 16121:TCP:spport
"27532:TCP"= 27532:TCP:spport
"7594:TCP"= 7594:TCP:spport
"15809:TCP"= 15809:TCP:spport
"11724:TCP"= 11724:TCP:spport
"28589:TCP"= 28589:TCP:spport
"26463:TCP"= 26463:TCP:spport
"9516:TCP"= 9516:TCP:spport
"7259:TCP"= 7259:TCP:spport
"6773:TCP"= 6773:TCP:spport
"22330:TCP"= 22330:TCP:spport
"6454:TCP"= 6454:TCP:spport
"20214:TCP"= 20214:TCP:spport
"11018:TCP"= 11018:TCP:spport
"25427:TCP"= 25427:TCP:spport
"8904:TCP"= 8904:TCP:spport
"8347:TCP"= 8347:TCP:spport
"13192:TCP"= 13192:TCP:spport
"19974:TCP"= 19974:TCP:spport
"27344:TCP"= 27344:TCP:spport
"18525:TCP"= 18525:TCP:spport
"13088:TCP"= 13088:TCP:spport
"21475:TCP"= 21475:TCP:spport
"25835:TCP"= 25835:TCP:spport
"12725:TCP"= 12725:TCP:spport
"27904:TCP"= 27904:TCP:spport
"6767:TCP"= 6767:TCP:spport
"14717:TCP"= 14717:TCP:spport
"6387:TCP"= 6387:TCP:spport
"28106:TCP"= 28106:TCP:spport
"22645:TCP"= 22645:TCP:spport
"15306:TCP"= 15306:TCP:spport
"18013:TCP"= 18013:TCP:spport
"19363:TCP"= 19363:TCP:spport
"8872:TCP"= 8872:TCP:spport
"18837:TCP"= 18837:TCP:spport
"29687:TCP"= 29687:TCP:spport
"29920:TCP"= 29920:TCP:spport
"20354:TCP"= 20354:TCP:spport
"28158:TCP"= 28158:TCP:spport
"27805:TCP"= 27805:TCP:spport
"18615:TCP"= 18615:TCP:spport
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"11457:TCP"= 11457:TCP:spport
"27047:TCP"= 27047:TCP:spport
"15468:TCP"= 15468:TCP:spport
"24178:TCP"= 24178:TCP:spport
"23769:TCP"= 23769:TCP:spport
"28085:TCP"= 28085:TCP:spport
"22729:TCP"= 22729:TCP:spport
"8263:TCP"= 8263:TCP:spport
"18334:TCP"= 18334:TCP:spport
"14499:TCP"= 14499:TCP:spport
"15181:TCP"= 15181:TCP:spport
"15918:TCP"= 15918:TCP:spport
"9975:TCP"= 9975:TCP:spport
"8537:TCP"= 8537:TCP:spport
"10962:TCP"= 10962:TCP:spport
"15357:TCP"= 15357:TCP:spport
"5972:TCP"= 5972:TCP:spport
"21380:TCP"= 21380:TCP:spport
"18136:TCP"= 18136:TCP:spport
"12792:TCP"= 12792:TCP:spport
"19789:TCP"= 19789:TCP:spport
"16958:TCP"= 16958:TCP:spport
"7798:TCP"= 7798:TCP:spport
"21918:TCP"= 21918:TCP:spport
"9768:TCP"= 9768:TCP:spport
"12557:TCP"= 12557:TCP:spport
"12780:TCP"= 12780:TCP:spport
"11090:TCP"= 11090:TCP:spport
"9546:TCP"= 9546:TCP:spport
"17289:TCP"= 17289:TCP:spport
"10958:TCP"= 10958:TCP:spport
"12776:TCP"= 12776:TCP:spport
"19900:TCP"= 19900:TCP:spport
"21490:TCP"= 21490:TCP:spport
"20459:TCP"= 20459:TCP:spport
"7109:TCP"= 7109:TCP:spport
"26962:TCP"= 26962:TCP:spport
"25636:TCP"= 25636:TCP:spport
"17902:TCP"= 17902:TCP:spport
"20853:TCP"= 20853:TCP:spport
"8500:TCP"= 8500:TCP:spport
"7150:TCP"= 7150:TCP:spport
"17498:TCP"= 17498:TCP:spport
"6287:TCP"= 6287:TCP:spport
"6078:TCP"= 6078:TCP:spport
"15719:TCP"= 15719:TCP:spport
"20286:TCP"= 20286:TCP:spport
"9441:TCP"= 9441:TCP:spport
"23985:TCP"= 23985:TCP:spport
"16741:TCP"= 16741:TCP:spport
"21097:TCP"= 21097:TCP:spport
"24297:TCP"= 24297:TCP:spport
"26331:TCP"= 26331:TCP:spport
"22803:TCP"= 22803:TCP:spport
"10550:TCP"= 10550:TCP:spport
"18757:TCP"= 18757:TCP:spport
"25030:TCP"= 25030:TCP:spport
"17817:TCP"= 17817:TCP:spport
"7699:TCP"= 7699:TCP:spport
"29746:TCP"= 29746:TCP:spport
"7656:TCP"= 7656:TCP:spport
"6664:TCP"= 6664:TCP:spport
"29061:TCP"= 29061:TCP:spport
"7988:TCP"= 7988:TCP:spport
"8955:TCP"= 8955:TCP:spport
"26578:TCP"= 26578:TCP:spport
"5164:TCP"= 5164:TCP:spport
"26228:TCP"= 26228:TCP:spport
"27680:TCP"= 27680:TCP:spport
"28963:TCP"= 28963:TCP:spport
"8604:TCP"= 8604:TCP:spport
"20881:TCP"= 20881:TCP:spport
"12369:TCP"= 12369:TCP:spport
"7123:TCP"= 7123:TCP:spport
"22671:TCP"= 22671:TCP:spport
"28325:TCP"= 28325:TCP:spport
"8679:TCP"= 8679:TCP:spport
"11131:TCP"= 11131:TCP:spport
"28952:TCP"= 28952:TCP:spport
"10712:TCP"= 10712:TCP:spport
"12927:TCP"= 12927:TCP:spport
"5356:TCP"= 5356:TCP:spport
"5608:TCP"= 5608:TCP:spport
"9802:TCP"= 9802:TCP:spport
"26270:TCP"= 26270:TCP:spport
"20754:TCP"= 20754:TCP:spport
"19331:TCP"= 19331:TCP:spport
"20763:TCP"= 20763:TCP:spport
"27248:TCP"= 27248:TCP:spport
"26180:TCP"= 26180:TCP:spport
"27084:TCP"= 27084:TCP:spport
"15790:TCP"= 15790:TCP:spport
"16145:TCP"= 16145:TCP:spport
"21310:TCP"= 21310:TCP:spport
"6597:TCP"= 6597:TCP:spport
"20032:TCP"= 20032:TCP:spport
"22009:TCP"= 22009:TCP:spport
"20566:TCP"= 20566:TCP:spport
"13222:TCP"= 13222:TCP:spport
"17203:TCP"= 17203:TCP:spport
"16024:TCP"= 16024:TCP:spport
"17352:TCP"= 17352:TCP:spport
"10974:TCP"= 10974:TCP:spport
"17411:TCP"= 17411:TCP:spport
"10112:TCP"= 10112:TCP:spport
"5241:TCP"= 5241:TCP:spport
"26776:TCP"= 26776:TCP:spport
"19095:TCP"= 19095:TCP:spport
"6685:TCP"= 6685:TCP:spport
"8825:TCP"= 8825:TCP:spport
"18064:TCP"= 18064:TCP:spport
"26518:TCP"= 26518:TCP:spport
"12155:TCP"= 12155:TCP:spport
"29663:TCP"= 29663:TCP:spport
"12837:TCP"= 12837:TCP:spport
"1730:TCP"= 1730:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [28/04/2010 19:01 33824]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 13:00 14336]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [28/01/2011 18:10 387072]
R2 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [26/01/2011 17:29 1175556]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [07/04/2010 01:56 20968]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [09/04/2011 21:56 16968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [26/02/2010 13:45 808448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/02/2010 18:41 135664]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [26/02/2010 13:35 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [14/11/2007 20:40 34448]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 14:37 517096]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO35
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-02-28 c:\windows\Tasks\broadcamShakeIcon.job
- c:\program files\NCH Software\BroadCam\broadcam.exe [2011-01-26 16:29]
.
2011-04-09 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-01-26 16:27]
.
2011-04-01 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-29 19:14]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006Core.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006UA.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-09 c:\windows\Tasks\Norton Security Scan for KK.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-11 10:06]
.
2011-04-09 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 22:44]
.
2010-12-21 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2010-12-21 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{D56C9F74-29EA-4B9F-9DBE-3F18F45461D5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
2011-02-26 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
2011-03-22 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ywwca10i.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE
SafeBoot-klmdb.sys
AddRemove-MSN Sniffer 2 - c:\progra~1\MSNSNI~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-09 22:47
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\User\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-09 22:49:34
ComboFix-quarantined-files.txt 2011-04-09 21:49
.
Pre-Run: 26,036,400,128 bytes free
Post-Run: 29,989,081,088 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8BD7B3F57C74069D2291187E040FBF68

Thanks alot.

**shelf life** · 2011-04-09, 00:41

Until its clean you should use this computer as little as possible and when not in use it should have no connectivity, If your not sure how to stop the connectivity then I would power it off.

Pretty sure you have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.

The best source for information on how to do this would be the computer manufacturers website.

To clean up the machine with current utilities proceed as follows:
-------------------------------
I know you ran tdsskiller once, delete that icon and get a new copy. Post the log even if it finds nothing:

1) Please download TDSS Killer.exe and save it to your desktop

TDSS Killer.exe

Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might require after disinfection."
A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)
Please post the log report

2) Please download aswMBR to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

* Double click the aswMBR icon to run it. A window will open
* Click the SCAN button to start scan. When its done will say: "scan finished successfully"
* Next press the SAVE LOG button, save the logfile to your desktop and post its contents in your next reply. Click the EXIT button to close.

Did you get Antivirus yet?

After you run the two utilities above you can use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
c:\documents and settings\User\Start Menu\Programs\Startup\huvqmjng.exe

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log as well as the two logs from above

Thread: HELP PLEASE Live messenger closing on sign in, Chrome not opening, Redirect issues

Thread Tools

Display