*HELP PLEASE* Live messenger closing on sign in, Chrome not opening, Redirect issues

**Hastify** · 2011-04-09, 20:26

TDSSkiller found nothing.

Here is the combofix / CFscipt log:

ComboFix 11-04-08.03 - KK 10/04/2011 18:14:25.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.565 [GMT 1:00]
Running from: c:\documents and settings\KK\Desktop\ComboFixx.exe
Command switches used :: c:\documents and settings\KK\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\IEXPLOREmgr.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
.
.
2011-04-10 14:45 . 2011-04-10 14:45 -------- d-----w- c:\program files\Microsoft
2011-04-09 21:20 . 2011-04-10 16:53 -------- d-----w- c:\program files\yoeecjes
2011-04-09 20:56 . 2011-04-09 21:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-09 20:56 . 2011-04-09 20:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-09 20:56 . 2011-04-09 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-04 21:08 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:08 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-01 17:42 . 2011-04-01 19:41 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-01 17:42 . 2011-04-01 19:41 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-27 01:08 . 2011-03-27 01:08 -------- d-sh--w- c:\documents and settings\KK\IECompatCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 17:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 17:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-02-26 11:58 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-26 11:58 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-06-02 04:22 . 2010-06-02 04:22 89944 ----a-w- c:\program files\DSETUP.dll
2010-06-02 04:22 . 2010-06-02 04:22 537432 ----a-w- c:\program files\DXSETUP.exe
2010-06-02 04:22 . 2010-06-02 04:22 1801048 ----a-w- c:\program files\dsetup32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-09_21.47.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-10 16:55 . 2011-04-10 16:55 16384 c:\windows\Temp\Perflib_Perfdata_7f8.dat
+ 2011-04-10 16:55 . 2011-04-10 16:55 16384 c:\windows\Temp\Perflib_Perfdata_224.dat
+ 2010-04-16 21:12 . 2010-04-16 21:12 48464 c:\windows\system32\sirenacm.dll
+ 2011-04-10 14:44 . 2011-04-10 14:44 27136 c:\windows\Installer\6f373.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 83456 c:\windows\Installer\6f369.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 58880 c:\windows\Installer\6f364.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 61272 c:\windows\Installer\{E6158D07-2637-4ECF-B576-37C489669174}\IconWlc.exe
+ 2011-04-10 14:45 . 2011-04-10 14:45 80395 c:\windows\Installer\{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}\MsblIco.Exe
+ 2011-04-10 14:45 . 2011-04-10 14:45 429056 c:\windows\Installer\6f37e.msi
+ 2011-04-10 14:45 . 2011-04-10 14:45 155648 c:\windows\Installer\6f378.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 149504 c:\windows\Installer\6f36e.msi
+ 2011-04-10 14:44 . 2011-04-10 14:44 107008 c:\windows\Installer\6f35f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-26 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Google Update"="c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-19 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-27 7561216]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58859:TCP"= 58859:TCP:Pando Media Booster
"58859:UDP"= 58859:UDP:Pando Media Booster
"5999:TCP"= 5999:TCP:spport
"8562:TCP"= 8562:TCP:spport
"12819:TCP"= 12819:TCP:spport
"25417:TCP"= 25417:TCP:spport
"21058:TCP"= 21058:TCP:spport
"27995:TCP"= 27995:TCP:spport
"5195:TCP"= 5195:TCP:spport
"29997:TCP"= 29997:TCP:spport
"28562:TCP"= 28562:TCP:spport
"13059:TCP"= 13059:TCP:spport
"13507:TCP"= 13507:TCP:spport
"10563:TCP"= 10563:TCP:spport
"25441:TCP"= 25441:TCP:spport
"17679:TCP"= 17679:TCP:spport
"29155:TCP"= 29155:TCP:spport
"20909:TCP"= 20909:TCP:spport
"13433:TCP"= 13433:TCP:spport
"20846:TCP"= 20846:TCP:spport
"9239:TCP"= 9239:TCP:spport
"11116:TCP"= 11116:TCP:spport
"22694:TCP"= 22694:TCP:spport
"20990:TCP"= 20990:TCP:spport
"5869:TCP"= 5869:TCP:spport
"24683:TCP"= 24683:TCP:spport
"8216:TCP"= 8216:TCP:spport
"5194:TCP"= 5194:TCP:spport
"8704:TCP"= 8704:TCP:spport
"5035:TCP"= 5035:TCP:spport
"22346:TCP"= 22346:TCP:spport
"16172:TCP"= 16172:TCP:spport
"15574:TCP"= 15574:TCP:spport
"18529:TCP"= 18529:TCP:spport
"27291:TCP"= 27291:TCP:spport
"21618:TCP"= 21618:TCP:spport
"29012:TCP"= 29012:TCP:spport
"26198:TCP"= 26198:TCP:spport
"7229:TCP"= 7229:TCP:spport
"11424:TCP"= 11424:TCP:spport
"27445:TCP"= 27445:TCP:spport
"13134:TCP"= 13134:TCP:spport
"6308:TCP"= 6308:TCP:spport
"18882:TCP"= 18882:TCP:spport
"12432:TCP"= 12432:TCP:spport
"12680:TCP"= 12680:TCP:spport
"8616:TCP"= 8616:TCP:spport
"7871:TCP"= 7871:TCP:spport
"29709:TCP"= 29709:TCP:spport
"7674:TCP"= 7674:TCP:spport
"6436:TCP"= 6436:TCP:spport
"27284:TCP"= 27284:TCP:spport
"23024:TCP"= 23024:TCP:spport
"10484:TCP"= 10484:TCP:spport
"17685:TCP"= 17685:TCP:spport
"13607:TCP"= 13607:TCP:spport
"7536:TCP"= 7536:TCP:spport
"19491:TCP"= 19491:TCP:spport
"27989:TCP"= 27989:TCP:spport
"28319:TCP"= 28319:TCP:spport
"6263:TCP"= 6263:TCP:spport
"14710:TCP"= 14710:TCP:spport
"12462:TCP"= 12462:TCP:spport
"12969:TCP"= 12969:TCP:spport
"27448:TCP"= 27448:TCP:spport
"8235:TCP"= 8235:TCP:spport
"7797:TCP"= 7797:TCP:spport
"11819:TCP"= 11819:TCP:spport
"7133:TCP"= 7133:TCP:spport
"25617:TCP"= 25617:TCP:spport
"26215:TCP"= 26215:TCP:spport
"18553:TCP"= 18553:TCP:spport
"6163:TCP"= 6163:TCP:spport
"27647:TCP"= 27647:TCP:spport
"11022:TCP"= 11022:TCP:spport
"23908:TCP"= 23908:TCP:spport
"29434:TCP"= 29434:TCP:spport
"17794:TCP"= 17794:TCP:spport
"26381:TCP"= 26381:TCP:spport
"26511:TCP"= 26511:TCP:spport
"26494:TCP"= 26494:TCP:spport
"22845:TCP"= 22845:TCP:spport
"16513:TCP"= 16513:TCP:spport
"6877:TCP"= 6877:TCP:spport
"19389:TCP"= 19389:TCP:spport
"27675:TCP"= 27675:TCP:spport
"18773:TCP"= 18773:TCP:spport
"23791:TCP"= 23791:TCP:spport
"8144:TCP"= 8144:TCP:spport
"12068:TCP"= 12068:TCP:spport
"16651:TCP"= 16651:TCP:spport
"12666:TCP"= 12666:TCP:spport
"29930:TCP"= 29930:TCP:spport
"22213:TCP"= 22213:TCP:spport
"5493:TCP"= 5493:TCP:spport
"5713:TCP"= 5713:TCP:spport
"20743:TCP"= 20743:TCP:spport
"27340:TCP"= 27340:TCP:spport
"21621:TCP"= 21621:TCP:spport
"20314:TCP"= 20314:TCP:spport
"10790:TCP"= 10790:TCP:spport
"13497:TCP"= 13497:TCP:spport
"23469:TCP"= 23469:TCP:spport
"22537:TCP"= 22537:TCP:spport
"10894:TCP"= 10894:TCP:spport
"29977:TCP"= 29977:TCP:spport
"21930:TCP"= 21930:TCP:spport
"29051:TCP"= 29051:TCP:spport
"23231:TCP"= 23231:TCP:spport
"17186:TCP"= 17186:TCP:spport
"28014:TCP"= 28014:TCP:spport
"25535:TCP"= 25535:TCP:spport
"12833:TCP"= 12833:TCP:spport
"16301:TCP"= 16301:TCP:spport
"8843:TCP"= 8843:TCP:spport
"6989:TCP"= 6989:TCP:spport
"14627:TCP"= 14627:TCP:spport
"19375:TCP"= 19375:TCP:spport
"5347:TCP"= 5347:TCP:spport
"9168:TCP"= 9168:TCP:spport
"21469:TCP"= 21469:TCP:spport
"16190:TCP"= 16190:TCP:spport
"27366:TCP"= 27366:TCP:spport
"25189:TCP"= 25189:TCP:spport
"13418:TCP"= 13418:TCP:spport
"24509:TCP"= 24509:TCP:spport
"8211:TCP"= 8211:TCP:spport
"6444:TCP"= 6444:TCP:spport
"28903:TCP"= 28903:TCP:spport
"23250:TCP"= 23250:TCP:spport
"7086:TCP"= 7086:TCP:spport
"8561:TCP"= 8561:TCP:spport
"16612:TCP"= 16612:TCP:spport
"25271:TCP"= 25271:TCP:spport
"24603:TCP"= 24603:TCP:spport
"20077:TCP"= 20077:TCP:spport
"24969:TCP"= 24969:TCP:spport
"7204:TCP"= 7204:TCP:spport
"23382:TCP"= 23382:TCP:spport
"25385:TCP"= 25385:TCP:spport
"20451:TCP"= 20451:TCP:spport
"18734:TCP"= 18734:TCP:spport
"10941:TCP"= 10941:TCP:spport
"25504:TCP"= 25504:TCP:spport
"29292:TCP"= 29292:TCP:spport
"15855:TCP"= 15855:TCP:spport
"26189:TCP"= 26189:TCP:spport
"26775:TCP"= 26775:TCP:spport
"15154:TCP"= 15154:TCP:spport
"10486:TCP"= 10486:TCP:spport
"27146:TCP"= 27146:TCP:spport
"27384:TCP"= 27384:TCP:spport
"9551:TCP"= 9551:TCP:spport
"28516:TCP"= 28516:TCP:spport
"9241:TCP"= 9241:TCP:spport
"24107:TCP"= 24107:TCP:spport
"7783:TCP"= 7783:TCP:spport
"26653:TCP"= 26653:TCP:spport
"26010:TCP"= 26010:TCP:spport
"10129:TCP"= 10129:TCP:spport
"12619:TCP"= 12619:TCP:spport
"11960:TCP"= 11960:TCP:spport
"10458:TCP"= 10458:TCP:spport
"28462:TCP"= 28462:TCP:spport
"27884:TCP"= 27884:TCP:spport
"22776:TCP"= 22776:TCP:spport
"17559:TCP"= 17559:TCP:spport
"7848:TCP"= 7848:TCP:spport
"25230:TCP"= 25230:TCP:spport
"27033:TCP"= 27033:TCP:spport
"21615:TCP"= 21615:TCP:spport
"24579:TCP"= 24579:TCP:spport
"6548:TCP"= 6548:TCP:spport
"13666:TCP"= 13666:TCP:spport
"29128:TCP"= 29128:TCP:spport
"29225:TCP"= 29225:TCP:spport
"10449:TCP"= 10449:TCP:spport
"9622:TCP"= 9622:TCP:spport
"16202:TCP"= 16202:TCP:spport
"29486:TCP"= 29486:TCP:spport
"13348:TCP"= 13348:TCP:spport
"10803:TCP"= 10803:TCP:spport
"11881:TCP"= 11881:TCP:spport
"17663:TCP"= 17663:TCP:spport
"13534:TCP"= 13534:TCP:spport
"16691:TCP"= 16691:TCP:spport
"17112:TCP"= 17112:TCP:spport
"25967:TCP"= 25967:TCP:spport
"28881:TCP"= 28881:TCP:spport
"18578:TCP"= 18578:TCP:spport
"19506:TCP"= 19506:TCP:spport
"12842:TCP"= 12842:TCP:spport
"13761:TCP"= 13761:TCP:spport
"15477:TCP"= 15477:TCP:spport
"8948:TCP"= 8948:TCP:spport
"19301:TCP"= 19301:TCP:spport
"21929:TCP"= 21929:TCP:spport
"29098:TCP"= 29098:TCP:spport
"16121:TCP"= 16121:TCP:spport
"27532:TCP"= 27532:TCP:spport
"7594:TCP"= 7594:TCP:spport
"15809:TCP"= 15809:TCP:spport
"11724:TCP"= 11724:TCP:spport
"28589:TCP"= 28589:TCP:spport
"26463:TCP"= 26463:TCP:spport
"9516:TCP"= 9516:TCP:spport
"7259:TCP"= 7259:TCP:spport
"6773:TCP"= 6773:TCP:spport
"22330:TCP"= 22330:TCP:spport
"6454:TCP"= 6454:TCP:spport
"20214:TCP"= 20214:TCP:spport
"11018:TCP"= 11018:TCP:spport
"25427:TCP"= 25427:TCP:spport
"8904:TCP"= 8904:TCP:spport
"8347:TCP"= 8347:TCP:spport
"13192:TCP"= 13192:TCP:spport
"19974:TCP"= 19974:TCP:spport
"27344:TCP"= 27344:TCP:spport
"18525:TCP"= 18525:TCP:spport
"13088:TCP"= 13088:TCP:spport
"21475:TCP"= 21475:TCP:spport
"25835:TCP"= 25835:TCP:spport
"12725:TCP"= 12725:TCP:spport
"27904:TCP"= 27904:TCP:spport
"6767:TCP"= 6767:TCP:spport
"14717:TCP"= 14717:TCP:spport
"6387:TCP"= 6387:TCP:spport
"28106:TCP"= 28106:TCP:spport
"22645:TCP"= 22645:TCP:spport
"15306:TCP"= 15306:TCP:spport
"18013:TCP"= 18013:TCP:spport
"19363:TCP"= 19363:TCP:spport
"8872:TCP"= 8872:TCP:spport
"18837:TCP"= 18837:TCP:spport
"29687:TCP"= 29687:TCP:spport
"29920:TCP"= 29920:TCP:spport
"20354:TCP"= 20354:TCP:spport
"28158:TCP"= 28158:TCP:spport
"27805:TCP"= 27805:TCP:spport
"18615:TCP"= 18615:TCP:spport
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"11457:TCP"= 11457:TCP:spport
"27047:TCP"= 27047:TCP:spport
"15468:TCP"= 15468:TCP:spport
"24178:TCP"= 24178:TCP:spport
"23769:TCP"= 23769:TCP:spport
"28085:TCP"= 28085:TCP:spport
"22729:TCP"= 22729:TCP:spport
"8263:TCP"= 8263:TCP:spport
"18334:TCP"= 18334:TCP:spport
"14499:TCP"= 14499:TCP:spport
"15181:TCP"= 15181:TCP:spport
"15918:TCP"= 15918:TCP:spport
"9975:TCP"= 9975:TCP:spport
"8537:TCP"= 8537:TCP:spport
"10962:TCP"= 10962:TCP:spport
"15357:TCP"= 15357:TCP:spport
"5972:TCP"= 5972:TCP:spport
"21380:TCP"= 21380:TCP:spport
"18136:TCP"= 18136:TCP:spport
"12792:TCP"= 12792:TCP:spport
"19789:TCP"= 19789:TCP:spport
"16958:TCP"= 16958:TCP:spport
"7798:TCP"= 7798:TCP:spport
"21918:TCP"= 21918:TCP:spport
"9768:TCP"= 9768:TCP:spport
"12557:TCP"= 12557:TCP:spport
"12780:TCP"= 12780:TCP:spport
"11090:TCP"= 11090:TCP:spport
"9546:TCP"= 9546:TCP:spport
"17289:TCP"= 17289:TCP:spport
"10958:TCP"= 10958:TCP:spport
"12776:TCP"= 12776:TCP:spport
"19900:TCP"= 19900:TCP:spport
"21490:TCP"= 21490:TCP:spport
"20459:TCP"= 20459:TCP:spport
"7109:TCP"= 7109:TCP:spport
"26962:TCP"= 26962:TCP:spport
"25636:TCP"= 25636:TCP:spport
"17902:TCP"= 17902:TCP:spport
"20853:TCP"= 20853:TCP:spport
"8500:TCP"= 8500:TCP:spport
"7150:TCP"= 7150:TCP:spport
"17498:TCP"= 17498:TCP:spport
"6287:TCP"= 6287:TCP:spport
"6078:TCP"= 6078:TCP:spport
"15719:TCP"= 15719:TCP:spport
"20286:TCP"= 20286:TCP:spport
"9441:TCP"= 9441:TCP:spport
"23985:TCP"= 23985:TCP:spport
"16741:TCP"= 16741:TCP:spport
"21097:TCP"= 21097:TCP:spport
"24297:TCP"= 24297:TCP:spport
"26331:TCP"= 26331:TCP:spport
"22803:TCP"= 22803:TCP:spport
"10550:TCP"= 10550:TCP:spport
"18757:TCP"= 18757:TCP:spport
"25030:TCP"= 25030:TCP:spport
"17817:TCP"= 17817:TCP:spport
"7699:TCP"= 7699:TCP:spport
"29746:TCP"= 29746:TCP:spport
"7656:TCP"= 7656:TCP:spport
"6664:TCP"= 6664:TCP:spport
"29061:TCP"= 29061:TCP:spport
"7988:TCP"= 7988:TCP:spport
"8955:TCP"= 8955:TCP:spport
"26578:TCP"= 26578:TCP:spport
"5164:TCP"= 5164:TCP:spport
"26228:TCP"= 26228:TCP:spport
"27680:TCP"= 27680:TCP:spport
"28963:TCP"= 28963:TCP:spport
"8604:TCP"= 8604:TCP:spport
"20881:TCP"= 20881:TCP:spport
"12369:TCP"= 12369:TCP:spport
"7123:TCP"= 7123:TCP:spport
"22671:TCP"= 22671:TCP:spport
"28325:TCP"= 28325:TCP:spport
"8679:TCP"= 8679:TCP:spport
"11131:TCP"= 11131:TCP:spport
"28952:TCP"= 28952:TCP:spport
"10712:TCP"= 10712:TCP:spport
"12927:TCP"= 12927:TCP:spport
"5356:TCP"= 5356:TCP:spport
"5608:TCP"= 5608:TCP:spport
"9802:TCP"= 9802:TCP:spport
"26270:TCP"= 26270:TCP:spport
"20754:TCP"= 20754:TCP:spport
"19331:TCP"= 19331:TCP:spport
"20763:TCP"= 20763:TCP:spport
"27248:TCP"= 27248:TCP:spport
"26180:TCP"= 26180:TCP:spport
"27084:TCP"= 27084:TCP:spport
"15790:TCP"= 15790:TCP:spport
"16145:TCP"= 16145:TCP:spport
"21310:TCP"= 21310:TCP:spport
"6597:TCP"= 6597:TCP:spport
"20032:TCP"= 20032:TCP:spport
"22009:TCP"= 22009:TCP:spport
"20566:TCP"= 20566:TCP:spport
"13222:TCP"= 13222:TCP:spport
"17203:TCP"= 17203:TCP:spport
"16024:TCP"= 16024:TCP:spport
"17352:TCP"= 17352:TCP:spport
"10974:TCP"= 10974:TCP:spport
"17411:TCP"= 17411:TCP:spport
"10112:TCP"= 10112:TCP:spport
"5241:TCP"= 5241:TCP:spport
"26776:TCP"= 26776:TCP:spport
"19095:TCP"= 19095:TCP:spport
"6685:TCP"= 6685:TCP:spport
"8825:TCP"= 8825:TCP:spport
"18064:TCP"= 18064:TCP:spport
"26518:TCP"= 26518:TCP:spport
"12155:TCP"= 12155:TCP:spport
"29663:TCP"= 29663:TCP:spport
"12837:TCP"= 12837:TCP:spport
"1371:TCP"= 1371:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [28/04/2010 19:01 33824]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 13:00 14336]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [28/01/2011 18:10 387072]
R2 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [26/01/2011 17:29 1175556]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [07/04/2010 01:56 20968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [26/02/2010 13:45 808448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/02/2010 18:41 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [09/04/2011 21:56 16968]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [26/02/2010 13:35 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [14/11/2007 20:40 34448]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 14:37 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-02-28 c:\windows\Tasks\broadcamShakeIcon.job
- c:\program files\NCH Software\BroadCam\broadcam.exe [2011-01-26 16:29]
.
2011-04-10 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-01-26 16:27]
.
2011-04-01 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-29 19:14]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 17:41]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-05 17:46]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006Core.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1123561945-725345543-1006UA.job
- c:\documents and settings\KK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-25 16:51]
.
2011-04-09 c:\windows\Tasks\Norton Security Scan for KK.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-11 10:06]
.
2011-04-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 22:44]
.
2010-12-21 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2010-12-21 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-12-21 11:47]
.
2011-04-10 c:\windows\Tasks\User_Feed_Synchronization-{D56C9F74-29EA-4B9F-9DBE-3F18F45461D5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
2011-02-26 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
2011-03-22 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-21 11:46]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\KK\Application Data\Mozilla\Firefox\Profiles\ncyirpo3.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-10 18:19
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\KK\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-10 18:21:06
ComboFix-quarantined-files.txt 2011-04-10 17:21
ComboFix2.txt 2011-04-10 16:51
ComboFix3.txt 2011-04-09 21:49
.
Pre-Run: 29,752,225,792 bytes free
Post-Run: 29,752,573,952 bytes free
.
- - End Of File - - C4BF9A8A62270144E74F0026FBDC8C71

Thanks.

**shelf life** · 2011-04-10, 00:39

Did you run aswMBR? Please post the tdsskiller log even if it didnt find anything. why are you renaming combofix? Did you get a AV installed?

download catchme to your desktop.

Double click the catchme.exe to run it
Click the "Scan" button to start scan.
It will generate a catchme log on your desktop.
Copy/paste the contents of the log in your reply

**Hastify** · 2011-04-10, 18:48

I renamed combofix to combofixx because it said to rename it. I think I downloaded it before but forgot I had it. Sorry, I did, here is the aswMBR log:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-10 17:26:43
-----------------------------
17:26:43.453 OS Version: Windows 5.1.2600 Service Pack 3
17:26:43.453 Number of processors: 2 586 0xF06
17:26:43.453 ComputerName: TODD-416FE847D9 UserName: User
17:26:45.546 Initialize success
17:26:55.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:26:55.296 Disk 0 Vendor: ST9120817AS 3.AAA Size: 114473MB BusType: 3
17:26:55.296 Disk 1 \Device\Harddisk1\DR2 -> \Device\0000008d
17:26:55.296 Disk 1 Vendor: ( Size: 114473MB BusType: 0
17:26:57.343 Disk 0 MBR read successfully
17:26:57.343 Disk 0 MBR scan
17:26:59.343 Disk 0 scanning sectors +234436545
17:26:59.406 Disk 0 scanning C:\WINDOWS\system32\drivers
17:27:07.578 Service scanning
17:27:08.937 Disk 0 trace - called modules:
17:27:08.937
17:27:08.937 Scan finished successfully

TDSSKiller doesn't give me a log? Here is a screenshot of what I get:

Catchme log:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 17:32:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\KK\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
C:\Documents and Settings\User\Start Menu\Programs\Startup\huvqmjng.exe 153019 bytes executable
C:\Program Files\yoeecjes\huvqmjng.exe 153019 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3

Thanks.

**shelf life** · 2011-04-10, 19:28

ok thanks for the info. dosnt look like a rootkit anymore. One more download to get.
download ZBot
Its a zip file, there are two versions in the file. Extract ZbotV3 to your desktop. double click the ZbotV3Remover.exe icon to start, click the scan button.

hopefully you will see these listed as suspicious files;

C:\Documents and Settings\KK\Start Menu\Programs\Startup\huvqmjng.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\huvqmjng.exe
C:\Program Files\yoeecjes\huvqmjng.exe

If so select each one by checking the box. Then click delete and reboot at the prompt.
Should get a confirmation at start up if anything was removed.

**Hastify** · 2011-04-10, 21:35

This is what I get when I run ZbotV3Remover.exe:

The scan took about 1 second to complete.

**shelf life** · 2011-04-10, 21:51

ok thanks. to help show all files do this:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

Next boot your computer into safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode. Log into your usual account, once at the safe mode desktop look for and manually delete these .exes if found: You might want to copy/paste whats below into notepad and save it so you can find it in safe mode:

C:\Documents and Settings\KK\Start Menu\Programs\Startup\huvqmjng.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\huvqmjng.exe
C:\Program Files\yoeecjes\huvqmjng.exe

May has well get these also while in safe mode: Delete what you can out of each folder (Edit, select all, file delete)

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Click Start>Run then type %temp%
Hit OK. Delete all the files you can.

click Start>Run then type %windir%\temp
hit ok. delete all the files you can

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

**Hastify** · 2011-04-10, 23:52

I cleared all the temp files successfully. However, even with the hidden folders enabled and hide extensions unchecked, I still can't locate or see huvqmjng.exe - even in safe mode.

I can locate the program file yoeecjes but when I open it - there is nothing there.

Thanks.

**shelf life** · 2011-04-11, 00:05

ok. check Malwarebytes for updates first, then boot back into safe mode and run malwarebytes and then combofix again, both in safe mode.

**Hastify** · 2011-04-12, 22:43

Ok, I'll do it ASAP.

Thread: HELP PLEASE Live messenger closing on sign in, Chrome not opening, Redirect issues

Thread Tools

Display

Posting Permissions

Thread: *HELP PLEASE* Live messenger closing on sign in, Chrome not opening, Redirect issues

Thread Tools

Display

Posting Permissions

Thread: HELP PLEASE Live messenger closing on sign in, Chrome not opening, Redirect issues