virtumonde, and browser hijacked

Hi,

Please upload C:\ComboFix_error.dat file here. Kindly include link to this topic there.
 
Hi,

Thanks for the upload. Are you still experiencing redirecting?


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
c:\windows\system32\wininit.dll
Folder::
c:\documents and settings\Branden\Local Settings\Application Data\jkxaou
c:\documents and settings\Branden\Local Settings\Application Data\lpkste


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Let ComboFix update itself.
Then post the resultant log.
 
It isn't redirecting anymore, now it opens a new browser window. It's tried to do a search for "Sorry but service temporarily unavailable" and a few other random ad type sites.

http://search.yahoo.com/search?fr=c...&p=Sorry,+but+service+temporarily+unavailable.


ComboFix 09-11-28.03 - Branden 11/28/2009 21:46.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.548 [GMT -5:00]
Running from: c:\documents and settings\Branden\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Branden\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\wininit.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Branden\Local Settings\Application Data\jkxaou
c:\documents and settings\Branden\Local Settings\Application Data\lpkste
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\wininit.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-27 18:56 . 2009-11-27 18:58 -------- d-----w- c:\program files\QuickTime
2009-11-27 18:56 . 2009-11-27 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-27 08:44 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Branden\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-27 08:43 . 2009-11-27 08:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-27 08:39 . 2009-11-27 08:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-27 08:39 . 2009-11-27 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-27 07:53 . 2008-04-14 10:41 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-27 07:53 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-25 21:41 . 2008-04-14 10:42 50176 ------w- c:\windows\system32\proquota.exe
2009-11-25 21:41 . 2008-04-14 10:41 56320 ------w- c:\windows\system32\eventlog.dll
2009-11-21 17:03 . 2009-11-24 20:53 -------- d-----w- c:\program files\AntiMalware
2009-11-21 05:52 . 2009-11-21 05:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-13 00:48 . 2009-11-13 00:48 -------- d-----w- c:\documents and settings\Branden\Application Data\Malwarebytes
2009-11-13 00:48 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 00:48 . 2009-11-13 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 00:48 . 2009-11-13 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 00:48 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-11 14:47 . 2009-11-11 14:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-02 18:10 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-11-02 18:10 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-11-02 18:10 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-11-02 18:10 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-11-02 18:10 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-11-02 18:10 . 2008-04-14 10:39 6144 ----a-w- c:\windows\system32\kbd106.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 06:53 . 2009-09-27 15:14 116968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 09:17 . 2009-08-04 20:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-27 09:06 . 2008-10-06 04:50 -------- d-----w- c:\program files\Java
2009-11-27 08:52 . 2008-10-06 04:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-21 23:21 . 2009-08-04 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-21 20:52 . 2009-08-26 21:05 -------- d-----w- c:\program files\Blubster
2009-11-20 02:42 . 2009-08-04 20:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 05:22 . 2009-09-26 23:27 48352 ----a-w- c:\documents and settings\Branden\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-27 15:59 . 2008-04-15 04:00 769024 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2009-09-27 15:59 . 2008-04-15 04:00 50176 ----a-w- c:\windows\system32\utilman.exe
2009-09-27 15:59 . 2008-04-15 04:00 3396608 ----a-w- c:\windows\system32\logonui.exe
2009-09-27 15:59 . 2006-10-19 12:47 276992 ----a-w- c:\windows\system32\audiodev.dll
2009-09-27 15:59 . 2008-04-15 04:00 540672 ----a-w- c:\windows\system32\sti_ci.dll
2009-09-27 15:59 . 2008-04-15 04:00 202752 ----a-w- c:\windows\system32\tcpmonui.dll
2009-09-27 15:58 . 2008-04-15 04:00 987648 ----a-w- c:\windows\system32\rasdlg.dll
2009-09-27 15:58 . 2001-08-18 13:36 1446912 ----a-w- c:\windows\system32\ntbackup.exe
2009-09-27 15:58 . 2008-04-15 04:00 200704 ----a-w- c:\windows\system32\mdminst.dll
2009-09-27 15:58 . 2008-04-15 04:00 399360 ----a-w- c:\windows\system32\fsquirt.exe
2009-09-27 15:58 . 2008-04-15 04:00 808960 ----a-w- c:\windows\system32\dmdlgs.dll
2009-09-27 15:58 . 2008-04-15 04:00 221696 ----a-w- c:\windows\system32\fldrclnr.dll
2009-09-27 15:58 . 2008-04-15 04:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-09-27 15:57 . 2008-04-15 04:00 794624 ----a-w- c:\windows\system32\sstext3d.scr
2009-09-27 15:57 . 2008-04-15 04:00 720896 ----a-w- c:\windows\system32\sspipes.scr
2009-09-27 15:57 . 2008-04-15 04:00 503808 ----a-w- c:\windows\system32\ssflwbox.scr
2009-09-27 15:57 . 2008-04-15 04:00 819200 ----a-w- c:\windows\system32\ss3dfo.scr
2009-09-27 15:57 . 2008-04-15 04:00 121856 ----a-w- c:\windows\system32\scrnsave.scr
2009-09-27 15:56 . 2008-04-15 04:00 806400 ----a-w- c:\windows\system32\comres.dll
2009-09-27 15:56 . 2008-04-15 04:00 835584 ----a-w- c:\windows\system32\certmgr.dll
2009-09-27 15:56 . 2008-04-15 04:00 427520 ----a-w- c:\windows\system32\devmgr.dll
2009-09-27 15:56 . 2008-04-15 04:00 146944 ----a-w- c:\windows\system32\eventvwr.exe
2009-09-27 15:56 . 2008-04-15 04:00 76288 ----a-w- c:\windows\system32\mmcshext.dll
2009-09-27 15:56 . 2008-04-15 04:00 1449984 ----a-w- c:\windows\system32\mmc.exe
2009-09-27 15:55 . 2008-04-15 04:00 512000 ----a-w- c:\windows\system32\cmd.exe
2009-09-27 15:55 . 2008-04-15 04:00 151040 ----a-w- c:\windows\system32\sndrec32.exe
2009-09-27 15:55 . 2008-04-15 04:00 184320 ----a-w- c:\windows\system32\taskmgr.exe
2009-09-27 15:55 . 2008-04-15 04:00 733696 ----a-w- c:\windows\system32\mstsc.exe
2009-09-27 15:55 . 2008-04-15 04:00 589824 ----a-w- c:\windows\system32\wscript.exe
2009-09-27 15:55 . 2008-04-15 04:00 527360 ----a-w- c:\windows\system32\mspaint.exe
2009-09-27 15:55 . 2008-04-15 04:00 426496 ----a-w- c:\windows\regedit.exe
2009-09-27 15:55 . 2008-04-15 04:00 192000 ----a-w- c:\windows\system32\notepad.exe
2009-09-27 15:55 . 2008-04-15 04:00 896000 ----a-w- c:\windows\system32\spider.exe
2009-09-27 15:55 . 2008-04-15 04:00 693760 ----a-w- c:\windows\system32\cards.dll
2009-09-27 15:55 . 2008-04-15 04:00 185344 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2009-09-27 15:55 . 2008-04-15 04:00 148992 ----a-w- c:\windows\hh.exe
2009-09-27 15:54 . 2008-04-15 04:00 20992 ----a-w- c:\windows\system32\write.exe
2009-09-27 15:54 . 2006-10-19 12:47 9128448 ----a-w- c:\windows\system32\wmploc.dll
2009-09-27 15:54 . 2008-04-15 04:00 2671104 ----a-w- c:\windows\system32\quartz.dll
2009-09-27 15:52 . 2008-04-15 04:00 385536 ----a-w- c:\windows\system32\msieftp.dll
2009-09-27 15:51 . 2008-04-15 04:00 841216 ----a-w- c:\windows\system32\shdoclc.dll
2009-09-27 15:51 . 2008-04-15 04:00 206336 ----a-w- c:\windows\system32\iexpress.exe
2009-09-27 15:51 . 2008-04-15 04:00 163840 ----a-w- c:\windows\system32\inetcplc.dll
2009-09-27 15:51 . 2008-04-15 04:00 1692672 ----a-w- c:\windows\system32\winbrand.dll
2009-09-27 15:51 . 2008-04-15 04:00 1789952 ----a-w- c:\windows\explorer.exe
2009-09-27 15:51 . 2008-04-15 04:00 964608 ----a-w- c:\windows\system32\zipfldr.dll
2009-09-27 15:50 . 2008-04-15 04:00 3905536 ----a-w- c:\windows\system32\xpsp2res.dll
2009-09-27 15:50 . 2008-04-15 04:00 2765312 ----a-w- c:\windows\system32\winntbbu.dll
2009-09-27 15:50 . 2008-04-15 04:00 711680 ----a-w- c:\windows\system32\wiashext.dll
2009-09-27 15:50 . 2008-04-15 04:00 538112 ----a-w- c:\windows\system32\wiadefui.dll
2009-09-27 15:49 . 2008-04-15 04:00 1377792 ----a-w- c:\windows\system32\wiaacmgr.exe
2009-09-27 15:49 . 2008-04-15 04:00 113664 ----a-w- c:\windows\system32\verifier.exe
2009-09-27 15:49 . 2008-04-15 04:00 387584 ----a-w- c:\windows\system32\themeui.dll
2009-09-27 15:49 . 2008-04-15 04:00 91136 ----a-w- c:\windows\system32\telnet.exe
2009-09-27 15:48 . 2008-04-15 04:00 178176 ----a-w- c:\windows\system32\tapiui.dll
2009-09-27 15:48 . 2008-04-15 04:00 743424 ----a-w- c:\windows\system32\sxs.dll
2009-09-27 15:48 . 2008-04-15 04:00 413184 ----a-w- c:\windows\system32\sysocmgr.exe
2009-09-27 15:48 . 2008-04-15 04:00 387072 ----a-w- c:\windows\system32\syncui.dll
2009-09-27 15:48 . 2008-04-15 04:00 127488 ----a-w- c:\windows\system32\stobject.dll
2009-09-27 15:48 . 2008-04-15 04:00 1214976 ----a-w- c:\windows\system32\syssetup.dll
2009-09-27 15:48 . 2008-04-15 04:00 42496 ----a-w- c:\windows\system32\shscrap.dll
2009-09-27 15:48 . 2008-04-15 04:00 259584 ----a-w- c:\windows\system32\srrstr.dll
2009-09-27 15:48 . 2008-04-15 04:00 258560 ----a-w- c:\windows\system32\shrpubw.exe
2009-09-27 15:48 . 2008-04-15 04:00 147456 ----a-w- c:\windows\system32\sndvol32.exe
2009-09-27 15:48 . 2008-04-15 04:00 129536 ----a-w- c:\windows\system32\sigverif.exe
2009-09-27 15:48 . 2008-04-15 04:00 1278976 ----a-w- c:\windows\system32\shimgvw.dll
2009-09-27 15:47 . 2008-04-15 04:00 1439232 ----a-w- c:\windows\system32\setupapi.dll
2009-09-27 15:47 . 2008-04-15 04:00 88064 ----a-w- c:\windows\system32\remotepg.dll
2009-09-27 15:47 . 2008-04-15 04:00 29696 ----a-w- c:\windows\system32\runonce.exe
2009-09-27 15:47 . 2008-04-15 04:00 184320 ----a-w- c:\windows\system32\scrobj.dll
2009-09-27 15:47 . 2008-04-15 04:00 18944 ----a-w- c:\windows\system32\regedt32.exe
2009-09-27 15:47 . 2008-04-15 04:00 891392 ----a-w- c:\windows\system32\printui.dll
2009-09-27 15:47 . 2008-04-15 04:00 489472 ----a-w- c:\windows\system32\photowiz.dll
2009-09-27 15:47 . 2008-04-15 04:00 173568 ----a-w- c:\windows\system32\pifmgr.dll
2009-09-27 15:47 . 2008-04-15 04:00 49152 ----a-w- c:\windows\system32\odbcad32.exe
2009-09-27 15:47 . 2008-04-15 04:00 31232 ----a-w- c:\windows\system32\perfmon.exe
2009-09-27 15:47 . 2008-04-15 04:00 110592 ----a-w- c:\windows\system32\odbcint.dll
2009-09-27 15:46 . 2008-04-15 04:00 47104 ----a-w- c:\windows\system32\ntsd.exe
2009-09-27 15:46 . 2008-04-15 04:00 31744 ----a-w- c:\windows\system32\ntlanui2.dll
2009-09-27 15:46 . 2008-04-15 04:00 92160 ----a-w- c:\windows\system32\nslookup.exe
2009-09-27 15:46 . 2008-04-15 04:00 705536 ----a-w- c:\windows\system32\newdev.dll
2009-09-27 15:46 . 2008-04-15 04:00 2336768 ----a-w- c:\windows\system32\netshell.dll
2009-09-27 15:46 . 2008-04-15 04:00 2058240 ----a-w- c:\windows\system32\netplwiz.dll
2009-09-27 15:45 . 2008-04-15 04:00 336384 ----a-w- c:\windows\system32\mydocs.dll
2009-09-27 15:45 . 2008-04-15 04:00 108032 ----a-w- c:\windows\system32\mycomput.dll
2009-09-27 15:45 . 2008-04-15 04:00 460800 ----a-w- c:\windows\system32\mstask.dll
2009-09-27 15:45 . 2008-04-15 04:00 217088 ----a-w- c:\windows\system32\msiexec.exe
2009-09-27 15:45 . 2008-04-15 04:00 3011072 ----a-w- c:\windows\system32\msi.dll
2009-09-27 15:45 . 2008-04-15 04:00 55808 ----a-w- c:\windows\system32\msident.dll
2009-09-27 15:45 . 2008-04-15 04:00 1512960 ----a-w- c:\windows\system32\msgina.dll
2009-09-27 15:45 . 2008-04-15 04:00 305664 ----a-w- c:\windows\system32\msctf.dll
2009-09-27 15:45 . 2008-04-15 04:00 20992 ----a-w- c:\windows\system32\msdtc.exe
.

------- Sigcheck -------

[-] 2009-09-27 . EC5B4798DBF53403EB82553CD43CB7E2 . 1789952 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2009-09-27 . EB764361FE5112298C70B5CE46260F89 . 30208 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-11-22_00.16.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-29 02:23 . 2009-11-29 02:23 16384 c:\windows\Temp\Perflib_Perfdata_780.dat
- 2008-04-15 04:00 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2008-04-15 04:00 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
- 2008-06-24 17:26 . 2009-11-22 00:16 71980 c:\windows\system32\perfc009.dat
+ 2008-06-24 17:26 . 2009-11-25 19:16 71980 c:\windows\system32\perfc009.dat
+ 2008-12-09 20:11 . 2009-11-29 02:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-09 20:11 . 2009-11-22 00:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-09 20:11 . 2009-11-22 00:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-09 20:11 . 2009-11-29 02:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-09 20:11 . 2009-11-22 00:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-09 20:11 . 2009-11-29 02:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-27 08:44 . 2009-11-27 08:44 21504 c:\windows\Installer\3b353d.msi
+ 2009-11-27 08:44 . 2009-11-27 08:44 27648 c:\windows\Installer\3b3538.msi
+ 2009-07-12 06:12 . 2009-07-12 06:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 06:09 . 2009-07-12 06:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 06:08 . 2009-07-12 06:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
- 2008-06-24 17:26 . 2009-11-22 00:16 442568 c:\windows\system32\perfh009.dat
+ 2008-06-24 17:26 . 2009-11-25 19:16 442568 c:\windows\system32\perfh009.dat
- 2009-08-04 20:19 . 2009-08-04 20:18 149280 c:\windows\system32\javaws.exe
+ 2009-11-27 09:19 . 2009-11-27 09:17 149280 c:\windows\system32\javaws.exe
- 2009-08-04 20:19 . 2009-08-04 20:18 145184 c:\windows\system32\javaw.exe
+ 2009-11-27 09:19 . 2009-11-27 09:17 145184 c:\windows\system32\javaw.exe
+ 2009-11-27 09:19 . 2009-11-27 09:17 145184 c:\windows\system32\java.exe
- 2009-08-04 20:19 . 2009-08-04 20:18 145184 c:\windows\system32\java.exe
- 2009-08-04 21:02 . 2009-08-04 20:55 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-08-04 21:02 . 2009-11-27 09:06 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-11-27 19:00 . 2009-11-27 19:00 796672 c:\windows\Installer\21659ef.msi
+ 2008-04-15 04:00 . 2009-07-31 15:05 1372672 c:\windows\system32\msxml6.dll
+ 2008-04-15 04:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-09-10 01:14 . 2009-07-31 15:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2009-08-05 07:35 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2009-11-27 09:17 . 2009-11-27 09:17 1757696 c:\windows\Installer\4d428.msi
+ 2009-11-27 08:52 . 2009-11-27 08:52 3940352 c:\windows\Installer\3b3542.msi
+ 2009-11-27 18:58 . 2009-11-27 18:58 9473024 c:\windows\Installer\21659de.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-30 442477]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-27 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"IDTSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2008-08-30 442477]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 604776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AWC"="c:\program files\AWC\AWC"
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" /min

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/5/2008 11:41 PM 112128]
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 22:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D3E170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf752cf28
\Driver\ACPI -> ACPI.sys @ 0xf739fcb8
\Driver\atapi -> atapi.sys @ 0xf7357852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7263bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7252a0d
SendHandler -> NDIS.sys @ 0xf7266b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,a7,81,bb,f3,6f,27,4f,b0,78,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,a7,81,bb,f3,6f,27,4f,b0,78,24,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\WININET.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\WININET.dll
c:\windows\system32\wdigest.dll
c:\windows\system32\setupapi.dll
.
Completion time: 2009-11-28 22:13
ComboFix-quarantined-files.txt 2009-11-29 03:13
ComboFix2.txt 2009-11-27 08:18
ComboFix3.txt 2009-11-25 22:15
ComboFix4.txt 2009-11-24 21:32
ComboFix5.txt 2009-11-29 02:42

Pre-Run: 7,384,023,040 bytes free
Post-Run: 7,449,845,760 bytes free

- - End Of File - - 30E0DEF161E44F1FA85DABA179D75EC6
 
I tried to post this last night, but I couldn't get on, with either computer, to just this site, all the other sites worked fine
Click to expand...
Hi,

Yes, heard same thing from other user. The site may have been down due to maintenance at some point.


1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

copy /y C:\WINDOWS\system32\drivers\atapi.sys c:\atapi.bad

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. Upload c:\atapi.bad file to Virustotal and post back the results.
 
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.30 Rootkit.Win32.TDSS!IK
AhnLab-V3 5.0.0.2 2009.11.30 -
AntiVir 7.9.1.79 2009.11.30 -
Antiy-AVL 2.0.3.7 2009.11.30 -
Authentium 5.2.0.5 2009.11.30 -
Avast 4.8.1351.0 2009.11.30 -
AVG 8.5.0.426 2009.11.30 -
BitDefender 7.2 2009.11.30 -
CAT-QuickHeal 10.00 2009.11.30 Rootkit.TDSS.y
ClamAV 0.94.1 2009.11.30 -
Comodo 3091 2009.11.30 -
DrWeb 5.0.0.12182 2009.11.30 BackDoor.Tdss.1133
eTrust-Vet 35.1.7148 2009.11.30 -
F-Prot 4.5.1.85 2009.11.30 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.11.30 -
GData 19 2009.11.30 -
Ikarus T3.1.1.74.0 2009.11.30 Rootkit.Win32.TDSS
Jiangmin 11.0.800 2009.11.29 Rootkit.TDSS.cwf
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.11.30 Rootkit.Win32.TDSS.y
McAfee 5818 2009.11.30 -
McAfee+Artemis 5818 2009.11.30 -
McAfee-GW-Edition 6.8.5 2009.11.30 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5302 2009.11.30 Virus:Win32/Alureon.C
NOD32 4650 2009.11.30 Win32/Olmarik.PV
Norman 6.03.02 2009.11.30 W32/TDSS.drv.gen2
nProtect 2009.1.8.0 2009.11.28 Trojan/W32.Rootkit.96512.D
Panda 10.0.2.2 2009.11.30 -
PCTools 7.0.3.5 2009.11.30 -
Prevx 3.0 2009.11.30 Medium Risk Malware
Rising 22.24.00.09 2009.11.30 -
Sophos 4.48.0 2009.11.30 -
Sunbelt 3.2.1858.2 2009.11.29 -
Symantec 1.4.4.12 2009.11.30 -
TheHacker 6.5.0.2.082 2009.11.30 -
TrendMicro 9.100.0.1001 2009.11.30 -
VBA32 3.12.12.0 2009.11.30 Rootkit.Win32.TDSL
ViRobot 2009.11.30.2062 2009.11.30 -
VirusBuster 5.0.21.0 2009.11.30 -
Additional information
File size: 96512 bytes
MD5...: 4d07d32c358da2eb2c7142b3ace7228a
SHA1..: 039fbc7353c17fb1839d0388923c9586b048cf65
SHA256: 9316289ed883212e25ba48fd873fd7d475bb1235606d2c69ac1b211f0e81a588
ssdeep: 1536:kwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uC:kQ+N74vkEZIxMohjsimBoDTRMBwFktZ+

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x167a4
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 6.10 1a16ac977768488c726b00e4fce59413
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00D86A282E' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7EFDCA54002458B979D801FAFEE1BA00D86A282E</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
Good. Let's continue.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

copy /y C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys c:\windows\system32\drivers\atapi.sys

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. Run ComboFix and post back its log. Is the issue with browsing still present?
 
The browsing issues seem to be cleared up.

ComboFix 09-11-30.02 - Branden 11/30/2009 16:16.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.653 [GMT -5:00]
Running from: c:\documents and settings\Branden\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-27 18:56 . 2009-11-27 18:58 -------- d-----w- c:\program files\QuickTime
2009-11-27 18:56 . 2009-11-27 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-27 08:44 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Branden\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-27 08:43 . 2009-11-27 08:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-27 08:39 . 2009-11-27 08:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-27 08:39 . 2009-11-27 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-27 07:53 . 2008-04-14 10:41 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-27 07:53 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-25 21:41 . 2008-04-14 10:42 50176 ------w- c:\windows\system32\proquota.exe
2009-11-25 21:41 . 2008-04-14 10:41 56320 ------w- c:\windows\system32\eventlog.dll
2009-11-21 17:03 . 2009-11-24 20:53 -------- d-----w- c:\program files\AntiMalware
2009-11-21 05:52 . 2009-11-21 05:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-13 00:48 . 2009-11-13 00:48 -------- d-----w- c:\documents and settings\Branden\Application Data\Malwarebytes
2009-11-13 00:48 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 00:48 . 2009-11-13 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 00:48 . 2009-11-13 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 00:48 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-11 14:47 . 2009-11-11 14:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-02 18:10 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-11-02 18:10 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-11-02 18:10 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-11-02 18:10 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-11-02 18:10 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-11-02 18:10 . 2008-04-14 10:39 6144 ----a-w- c:\windows\system32\kbd106.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 06:53 . 2009-09-27 15:14 116968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-27 09:17 . 2009-08-04 20:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-27 09:06 . 2008-10-06 04:50 -------- d-----w- c:\program files\Java
2009-11-27 08:52 . 2008-10-06 04:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-21 23:21 . 2009-08-04 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-21 20:52 . 2009-08-26 21:05 -------- d-----w- c:\program files\Blubster
2009-11-20 02:42 . 2009-08-04 20:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 05:22 . 2009-09-26 23:27 48352 ----a-w- c:\documents and settings\Branden\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-27 15:59 . 2008-04-15 04:00 769024 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2009-09-27 15:59 . 2008-04-15 04:00 50176 ----a-w- c:\windows\system32\utilman.exe
2009-09-27 15:59 . 2008-04-15 04:00 3396608 ----a-w- c:\windows\system32\logonui.exe
2009-09-27 15:59 . 2006-10-19 12:47 276992 ----a-w- c:\windows\system32\audiodev.dll
2009-09-27 15:59 . 2008-04-15 04:00 540672 ----a-w- c:\windows\system32\sti_ci.dll
2009-09-27 15:59 . 2008-04-15 04:00 202752 ----a-w- c:\windows\system32\tcpmonui.dll
2009-09-27 15:58 . 2008-04-15 04:00 987648 ----a-w- c:\windows\system32\rasdlg.dll
2009-09-27 15:58 . 2001-08-18 13:36 1446912 ----a-w- c:\windows\system32\ntbackup.exe
2009-09-27 15:58 . 2008-04-15 04:00 200704 ----a-w- c:\windows\system32\mdminst.dll
2009-09-27 15:58 . 2008-04-15 04:00 399360 ----a-w- c:\windows\system32\fsquirt.exe
2009-09-27 15:58 . 2008-04-15 04:00 808960 ----a-w- c:\windows\system32\dmdlgs.dll
2009-09-27 15:58 . 2008-04-15 04:00 221696 ----a-w- c:\windows\system32\fldrclnr.dll
2009-09-27 15:58 . 2008-04-15 04:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-09-27 15:57 . 2008-04-15 04:00 794624 ----a-w- c:\windows\system32\sstext3d.scr
2009-09-27 15:57 . 2008-04-15 04:00 720896 ----a-w- c:\windows\system32\sspipes.scr
2009-09-27 15:57 . 2008-04-15 04:00 503808 ----a-w- c:\windows\system32\ssflwbox.scr
2009-09-27 15:57 . 2008-04-15 04:00 819200 ----a-w- c:\windows\system32\ss3dfo.scr
2009-09-27 15:57 . 2008-04-15 04:00 121856 ----a-w- c:\windows\system32\scrnsave.scr
2009-09-27 15:56 . 2008-04-15 04:00 806400 ----a-w- c:\windows\system32\comres.dll
2009-09-27 15:56 . 2008-04-15 04:00 835584 ----a-w- c:\windows\system32\certmgr.dll
2009-09-27 15:56 . 2008-04-15 04:00 427520 ----a-w- c:\windows\system32\devmgr.dll
2009-09-27 15:56 . 2008-04-15 04:00 146944 ----a-w- c:\windows\system32\eventvwr.exe
2009-09-27 15:56 . 2008-04-15 04:00 76288 ----a-w- c:\windows\system32\mmcshext.dll
2009-09-27 15:56 . 2008-04-15 04:00 1449984 ----a-w- c:\windows\system32\mmc.exe
2009-09-27 15:55 . 2008-04-15 04:00 512000 ----a-w- c:\windows\system32\cmd.exe
2009-09-27 15:55 . 2008-04-15 04:00 151040 ----a-w- c:\windows\system32\sndrec32.exe
2009-09-27 15:55 . 2008-04-15 04:00 184320 ----a-w- c:\windows\system32\taskmgr.exe
2009-09-27 15:55 . 2008-04-15 04:00 733696 ----a-w- c:\windows\system32\mstsc.exe
2009-09-27 15:55 . 2008-04-15 04:00 589824 ----a-w- c:\windows\system32\wscript.exe
2009-09-27 15:55 . 2008-04-15 04:00 527360 ----a-w- c:\windows\system32\mspaint.exe
2009-09-27 15:55 . 2008-04-15 04:00 426496 ----a-w- c:\windows\regedit.exe
2009-09-27 15:55 . 2008-04-15 04:00 192000 ----a-w- c:\windows\system32\notepad.exe
2009-09-27 15:55 . 2008-04-15 04:00 896000 ----a-w- c:\windows\system32\spider.exe
2009-09-27 15:55 . 2008-04-15 04:00 693760 ----a-w- c:\windows\system32\cards.dll
2009-09-27 15:55 . 2008-04-15 04:00 185344 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2009-09-27 15:55 . 2008-04-15 04:00 148992 ----a-w- c:\windows\hh.exe
2009-09-27 15:54 . 2008-04-15 04:00 20992 ----a-w- c:\windows\system32\write.exe
2009-09-27 15:54 . 2006-10-19 12:47 9128448 ----a-w- c:\windows\system32\wmploc.dll
2009-09-27 15:54 . 2008-04-15 04:00 2671104 ----a-w- c:\windows\system32\quartz.dll
2009-09-27 15:52 . 2008-04-15 04:00 385536 ----a-w- c:\windows\system32\msieftp.dll
2009-09-27 15:51 . 2008-04-15 04:00 841216 ----a-w- c:\windows\system32\shdoclc.dll
2009-09-27 15:51 . 2008-04-15 04:00 206336 ----a-w- c:\windows\system32\iexpress.exe
2009-09-27 15:51 . 2008-04-15 04:00 163840 ----a-w- c:\windows\system32\inetcplc.dll
2009-09-27 15:51 . 2008-04-15 04:00 1692672 ----a-w- c:\windows\system32\winbrand.dll
2009-09-27 15:51 . 2008-04-15 04:00 1789952 ----a-w- c:\windows\explorer.exe
2009-09-27 15:51 . 2008-04-15 04:00 964608 ----a-w- c:\windows\system32\zipfldr.dll
2009-09-27 15:50 . 2008-04-15 04:00 3905536 ----a-w- c:\windows\system32\xpsp2res.dll
2009-09-27 15:50 . 2008-04-15 04:00 2765312 ----a-w- c:\windows\system32\winntbbu.dll
2009-09-27 15:50 . 2008-04-15 04:00 711680 ----a-w- c:\windows\system32\wiashext.dll
2009-09-27 15:50 . 2008-04-15 04:00 538112 ----a-w- c:\windows\system32\wiadefui.dll
2009-09-27 15:49 . 2008-04-15 04:00 1377792 ----a-w- c:\windows\system32\wiaacmgr.exe
2009-09-27 15:49 . 2008-04-15 04:00 113664 ----a-w- c:\windows\system32\verifier.exe
2009-09-27 15:49 . 2008-04-15 04:00 387584 ----a-w- c:\windows\system32\themeui.dll
2009-09-27 15:49 . 2008-04-15 04:00 91136 ----a-w- c:\windows\system32\telnet.exe
2009-09-27 15:48 . 2008-04-15 04:00 178176 ----a-w- c:\windows\system32\tapiui.dll
2009-09-27 15:48 . 2008-04-15 04:00 743424 ----a-w- c:\windows\system32\sxs.dll
2009-09-27 15:48 . 2008-04-15 04:00 413184 ----a-w- c:\windows\system32\sysocmgr.exe
2009-09-27 15:48 . 2008-04-15 04:00 387072 ----a-w- c:\windows\system32\syncui.dll
2009-09-27 15:48 . 2008-04-15 04:00 127488 ----a-w- c:\windows\system32\stobject.dll
2009-09-27 15:48 . 2008-04-15 04:00 1214976 ----a-w- c:\windows\system32\syssetup.dll
2009-09-27 15:48 . 2008-04-15 04:00 42496 ----a-w- c:\windows\system32\shscrap.dll
2009-09-27 15:48 . 2008-04-15 04:00 259584 ----a-w- c:\windows\system32\srrstr.dll
2009-09-27 15:48 . 2008-04-15 04:00 258560 ----a-w- c:\windows\system32\shrpubw.exe
2009-09-27 15:48 . 2008-04-15 04:00 147456 ----a-w- c:\windows\system32\sndvol32.exe
2009-09-27 15:48 . 2008-04-15 04:00 129536 ----a-w- c:\windows\system32\sigverif.exe
2009-09-27 15:48 . 2008-04-15 04:00 1278976 ----a-w- c:\windows\system32\shimgvw.dll
2009-09-27 15:47 . 2008-04-15 04:00 1439232 ----a-w- c:\windows\system32\setupapi.dll
2009-09-27 15:47 . 2008-04-15 04:00 88064 ----a-w- c:\windows\system32\remotepg.dll
2009-09-27 15:47 . 2008-04-15 04:00 29696 ----a-w- c:\windows\system32\runonce.exe
2009-09-27 15:47 . 2008-04-15 04:00 184320 ----a-w- c:\windows\system32\scrobj.dll
2009-09-27 15:47 . 2008-04-15 04:00 18944 ----a-w- c:\windows\system32\regedt32.exe
2009-09-27 15:47 . 2008-04-15 04:00 891392 ----a-w- c:\windows\system32\printui.dll
2009-09-27 15:47 . 2008-04-15 04:00 489472 ----a-w- c:\windows\system32\photowiz.dll
2009-09-27 15:47 . 2008-04-15 04:00 173568 ----a-w- c:\windows\system32\pifmgr.dll
2009-09-27 15:47 . 2008-04-15 04:00 49152 ----a-w- c:\windows\system32\odbcad32.exe
2009-09-27 15:47 . 2008-04-15 04:00 31232 ----a-w- c:\windows\system32\perfmon.exe
2009-09-27 15:47 . 2008-04-15 04:00 110592 ----a-w- c:\windows\system32\odbcint.dll
2009-09-27 15:46 . 2008-04-15 04:00 47104 ----a-w- c:\windows\system32\ntsd.exe
2009-09-27 15:46 . 2008-04-15 04:00 31744 ----a-w- c:\windows\system32\ntlanui2.dll
2009-09-27 15:46 . 2008-04-15 04:00 92160 ----a-w- c:\windows\system32\nslookup.exe
2009-09-27 15:46 . 2008-04-15 04:00 705536 ----a-w- c:\windows\system32\newdev.dll
2009-09-27 15:46 . 2008-04-15 04:00 2336768 ----a-w- c:\windows\system32\netshell.dll
2009-09-27 15:46 . 2008-04-15 04:00 2058240 ----a-w- c:\windows\system32\netplwiz.dll
2009-09-27 15:45 . 2008-04-15 04:00 336384 ----a-w- c:\windows\system32\mydocs.dll
2009-09-27 15:45 . 2008-04-15 04:00 108032 ----a-w- c:\windows\system32\mycomput.dll
2009-09-27 15:45 . 2008-04-15 04:00 460800 ----a-w- c:\windows\system32\mstask.dll
2009-09-27 15:45 . 2008-04-15 04:00 217088 ----a-w- c:\windows\system32\msiexec.exe
2009-09-27 15:45 . 2008-04-15 04:00 3011072 ----a-w- c:\windows\system32\msi.dll
2009-09-27 15:45 . 2008-04-15 04:00 55808 ----a-w- c:\windows\system32\msident.dll
2009-09-27 15:45 . 2008-04-15 04:00 1512960 ----a-w- c:\windows\system32\msgina.dll
2009-09-27 15:45 . 2008-04-15 04:00 305664 ----a-w- c:\windows\system32\msctf.dll
2009-09-27 15:45 . 2008-04-15 04:00 20992 ----a-w- c:\windows\system32\msdtc.exe
.

------- Sigcheck -------

[-] 2009-09-27 . EC5B4798DBF53403EB82553CD43CB7E2 . 1789952 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2009-09-27 . EB764361FE5112298C70B5CE46260F89 . 30208 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-11-22_00.16.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 21:07 . 2009-11-30 21:07 16384 c:\windows\Temp\Perflib_Perfdata_6ac.dat
+ 2008-04-15 04:00 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
- 2008-04-15 04:00 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2008-06-24 17:26 . 2009-11-25 19:16 71980 c:\windows\system32\perfc009.dat
- 2008-06-24 17:26 . 2009-11-22 00:16 71980 c:\windows\system32\perfc009.dat
+ 2008-10-06 04:40 . 2008-04-14 15:10 96512 c:\windows\system32\drivers\atapi.sys
- 2008-04-14 15:10 . 2008-04-14 08:10 96512 c:\windows\system32\drivers\atapi.sys
- 2008-12-09 20:11 . 2009-11-22 00:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-09 20:11 . 2009-11-30 20:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-09 20:11 . 2009-11-22 00:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-09 20:11 . 2009-11-30 20:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-27 08:44 . 2009-11-27 08:44 21504 c:\windows\Installer\3b353d.msi
+ 2009-11-27 08:44 . 2009-11-27 08:44 27648 c:\windows\Installer\3b3538.msi
+ 2009-07-12 06:12 . 2009-07-12 06:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 06:09 . 2009-07-12 06:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 06:08 . 2009-07-12 06:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
- 2008-06-24 17:26 . 2009-11-22 00:16 442568 c:\windows\system32\perfh009.dat
+ 2008-06-24 17:26 . 2009-11-25 19:16 442568 c:\windows\system32\perfh009.dat
+ 2009-11-27 09:19 . 2009-11-27 09:17 149280 c:\windows\system32\javaws.exe
- 2009-08-04 20:19 . 2009-08-04 20:18 149280 c:\windows\system32\javaws.exe
+ 2009-11-27 09:19 . 2009-11-27 09:17 145184 c:\windows\system32\javaw.exe
- 2009-08-04 20:19 . 2009-08-04 20:18 145184 c:\windows\system32\javaw.exe
+ 2009-11-27 09:19 . 2009-11-27 09:17 145184 c:\windows\system32\java.exe
- 2009-08-04 20:19 . 2009-08-04 20:18 145184 c:\windows\system32\java.exe
- 2009-08-04 21:02 . 2009-08-04 20:55 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-08-04 21:02 . 2009-11-27 09:06 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-11-27 19:00 . 2009-11-27 19:00 796672 c:\windows\Installer\21659ef.msi
+ 2008-04-15 04:00 . 2009-07-31 15:05 1372672 c:\windows\system32\msxml6.dll
+ 2008-04-15 04:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-09-10 01:14 . 2009-07-31 15:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2009-08-05 07:35 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2009-11-27 09:17 . 2009-11-27 09:17 1757696 c:\windows\Installer\4d428.msi
+ 2009-11-27 08:52 . 2009-11-27 08:52 3940352 c:\windows\Installer\3b3542.msi
+ 2009-11-27 18:58 . 2009-11-27 18:58 9473024 c:\windows\Installer\21659de.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-30 442477]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-27 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"IDTSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2008-08-30 442477]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 604776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AWC"="c:\program files\AWC\AWC"
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" /min

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/5/2008 11:41 PM 112128]
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 16:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,a7,81,bb,f3,6f,27,4f,b0,78,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,a7,81,bb,f3,6f,27,4f,b0,78,24,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\wdigest.dll
c:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(948)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\windows\System32\cscui.dll
c:\windows\system32\btmmhook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-30 16:29
ComboFix-quarantined-files.txt 2009-11-30 21:29
ComboFix2.txt 2009-11-29 03:13
ComboFix3.txt 2009-11-27 08:18
ComboFix4.txt 2009-11-25 22:15
ComboFix5.txt 2009-11-30 21:14

Pre-Run: 7,432,720,384 bytes free
Post-Run: 7,393,820,672 bytes free

- - End Of File - - D540787A1D73247A140A8F5E5EC353EA
 
Good. Delete c:\program files\AntiMalware folder.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. You may re-enable Antivir now.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
I'm installing Comodo firewall. They bundle their antivirus in the same install, you stressed firewall only. Is there a reason to not install their antivirus or were you refering to the hopsurf part? They also have a secure DNS server that changes my primary/secondary DNS settings, should I avoid that also, and if so why?
 
You're welcome :)

Is there a reason to not install their antivirus or were you refering to the hopsurf part?
Click to expand...
I'd stick with Antivir that you had installed there.

They also have a secure DNS server that changes my primary/secondary DNS settings, should I avoid that also, and if so why?
Click to expand...
Good question. I've always trusted in my operator's DNS so can't say whether Comodo's solution would be any better.
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top