0

My browser is being redirected to random sites when I click on search engine results. I can type the URL manually and get what I am looking for (if the entire URL is shown).

I have tried to find and remove it but it keeps coming back and depending on the virus scanner, it is giving me different virus names (Trend Micro- Vundo; Microsoft MSR Tool- Alureon; AdAware- NetSky) They say they've fixed the issue, but they are back shortly (with and without restart)

There are always two 'iexplorer.exe' process files running in the background when I restart my computer. I can delete them, but they come back when IE or Firefox is opened, in addition to the requested processes. I've tried starting with no add-ons, reset of IE8 settings- still have same issue. Now it seems to run even slower and some pages are loading really slow or hanging when links are clicked within a page.

Here is my Hijack This Log- Any help on what is illin' me would be appreciated!


Thanks in advance-
Dave 29


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:32 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\explorer.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {36FF719B-0446-48E6-9F0A-FF1409CA64B5} - (no file)
O2 - BHO: (no name) - {446624E1-B767-4443-AA6E-0F355CAFD21B} - (no file)
O2 - BHO: (no name) - {5D72DE28-94E9-4C44-84E1-5CCBF22C9C2A} - (no file)
O2 - BHO: (no name) - {6C1EABBE-6A3D-4A26-843B-C7E2C4F331A5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {9cd810da-a90d-a0c9-9704-989ab8a8eb48} - {84be8a8b-a989-4079-9c0a-d09aad018dc9} - (no file)
O2 - BHO: (no name) - {9CA40EBC-A76D-47AF-B399-433A228FDA55} - (no file)
O2 - BHO: (no name) - {AFA57BA3-F207-45B9-998B-55537C384818} - (no file)
O2 - BHO: (no name) - {B22C1F03-6071-4B2E-927B-7DE87587AF18} - (no file)
O2 - BHO: (no name) - {DD6170AD-D162-4D80-A458-8F51CE65F842} - (no file)
O2 - BHO: (no name) - {DF9DFFBD-C2C8-4E46-B86D-2179B9BE3441} - (no file)
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O24 - Desktop Component 0: (no name) - https://www.homeconvenience.com/app/images/hcsi.png
O24 - Desktop Component 1: (no name) - https://secure.comodo.net/trustlogo/images/cot_bgf0.gif

--
End of file - 8456 bytes

4
Contributors
33
Replies
34
Views
7 Years
Discussion Span
Last Post by crunchie
Featured Replies
  • Hi Dave, Please run MBA-M as per this linky and then post the log: [url]http://www.daniweb.com/forums/thread134865.html[/url] PP:) Read More

  • I would install all MS updates and then get one, good, antivirus and firewall. I personally use Comodo and am very happy with it. It is free too :). Note that only ONE AV should be running on a pc at any given time. ==== [b][u]Get rid of Combofix now … Read More

  • [QUOTE=kaninelupus;964983]Still doing a double-take on the recommendation of FF though (even if it [I]was[/I] shared with Opera :D )[/QUOTE] Still taking deep breaths :). At the end of the day though, even FF is better than IE :D Read More

0

I've downloaded and installed MBA-M from 2 different sites (Major Geeks and CNet Download) both have installed slowly and will not launch (process is shown running in background but it never gets past 3800K Memory Usage and not user interface screen appears)

Similar issue with ComboFix as well...

Any other suggestions or is there a trick to get it to run (I'll try to run it in safe mode?)

Thanks-
Dave 29

0

crunchie... that's random! But it's working... Results in a few

Dave

0

crunchie... that's random! But it's working... Results in a few

Great!
Is this Safe Mode?
Ideally, we'd like a Full Scan in Normal Windows boot.

If Safe Mode, let it run and we'll go from there once the scan wraps up.

PP:)

0

Here's the Quick Scan version...

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/30/2009 8:35:00 PM
mbam-log-2009-08-30 (20-34-56).txt

Scan type: Quick Scan
Objects scanned: 102582
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 24
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACbfpsmgrnal.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winccf32 (Dialer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACbfpsmgrnal.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job (Rogue.AntiSpyware) -> No action taken.
C:\WINDOWS\system32\winccf32.dll (Dialer) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.

0

BTW that was Normal Boot Mode... Should I let the Malware Program fix these? or Just run it again in Complete Scan mode?

Dave

0

Here's the Quick Scan version...

You didn't have it remove the baddies . . .

Try another Full Scan and make sure that everything is checked, and click Remove Selected.

Then post us the new log plus a fresh HJT.

PP :)

EDIT: Normal Windows boot is what we want. Yes, you definitely want to remove the baddies ;)

0

Here we are...

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/30/2009 9:31:01 PM
mbam-log-2009-08-30 (21-31-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 199714
Time elapsed: 47 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 24
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACbfpsmgrnal.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winccf32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{446624e1-b767-4443-aa6e-0f355cafd21b} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACbfpsmgrnal.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job (Rogue.AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winccf32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:10 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\crunchie.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {36FF719B-0446-48E6-9F0A-FF1409CA64B5} - (no file)
O2 - BHO: (no name) - {5D72DE28-94E9-4C44-84E1-5CCBF22C9C2A} - (no file)
O2 - BHO: (no name) - {6C1EABBE-6A3D-4A26-843B-C7E2C4F331A5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {9cd810da-a90d-a0c9-9704-989ab8a8eb48} - {84be8a8b-a989-4079-9c0a-d09aad018dc9} - (no file)
O2 - BHO: (no name) - {9CA40EBC-A76D-47AF-B399-433A228FDA55} - (no file)
O2 - BHO: (no name) - {AFA57BA3-F207-45B9-998B-55537C384818} - (no file)
O2 - BHO: (no name) - {B22C1F03-6071-4B2E-927B-7DE87587AF18} - (no file)
O2 - BHO: (no name) - {DD6170AD-D162-4D80-A458-8F51CE65F842} - (no file)
O2 - BHO: (no name) - {DF9DFFBD-C2C8-4E46-B86D-2179B9BE3441} - (no file)
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O24 - Desktop Component 0: (no name) - https://www.homeconvenience.com/app/images/hcsi.png
O24 - Desktop Component 1: (no name) - https://secure.comodo.net/trustlogo/images/cot_bgf0.gif

--
End of file - 7851 bytes


BTW- I Tried a quick search and the issue is still there- redirects to another search page.

Dave

0

I'm gonna call it a night. In reading some of the other posts, I noticed that some of the advice was to update the MalwareBytes database. I did update the program and are re-scanning. I'll have a little time in the morning to fix any items you may find if you post later on tonight. Other than that, I'll be back tomorrow evening. Thanks for the help so far!

Dave

0

A few more files were found here is the latest:

Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 3

8/31/2009 6:31:35 AM
mbam-log-2009-08-31 (06-31-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 203604
Time elapsed: 46 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\David\Local Settings\Application Data\Xenocode\ApplianceCaches\SyncMyCal.exe_v7820CBFE\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\Documents and Settings\David\Local Settings\Application Data\Xenocode\ApplianceCaches\SyncMyCal.exe_v7820CBFE\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

and the resulting Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:43 AM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {36FF719B-0446-48E6-9F0A-FF1409CA64B5} - (no file)
O2 - BHO: (no name) - {5D72DE28-94E9-4C44-84E1-5CCBF22C9C2A} - (no file)
O2 - BHO: (no name) - {6C1EABBE-6A3D-4A26-843B-C7E2C4F331A5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {9cd810da-a90d-a0c9-9704-989ab8a8eb48} - {84be8a8b-a989-4079-9c0a-d09aad018dc9} - (no file)
O2 - BHO: (no name) - {9CA40EBC-A76D-47AF-B399-433A228FDA55} - (no file)
O2 - BHO: (no name) - {AFA57BA3-F207-45B9-998B-55537C384818} - (no file)
O2 - BHO: (no name) - {B22C1F03-6071-4B2E-927B-7DE87587AF18} - (no file)
O2 - BHO: (no name) - {DD6170AD-D162-4D80-A458-8F51CE65F842} - (no file)
O2 - BHO: (no name) - {DF9DFFBD-C2C8-4E46-B86D-2179B9BE3441} - (no file)
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O24 - Desktop Component 0: (no name) - https://www.homeconvenience.com/app/images/hcsi.png
O24 - Desktop Component 1: (no name) - https://secure.comodo.net/trustlogo/images/cot_bgf0.gif

--
End of file - 7858 bytes

BTW- Firefox appears to have normal search capabilities, IE8 is still redirecting. No more automatic launching of 'iexplorer.exe' on startup in the background. So, were getting better! :)

0

Also, try re-naming mbam.exe to crunchie.exe and see if it runs.

PP :)

Oh now that's very subtle.... I'll pay that one :D

@Dave29 - can you post in a copy of your Hosts file, as just wanting to be sure no redirects (which Firefox tends to ignore, but IE can't) left behind - although may still need to reset IE's homepage and clear cookies and other temp files just to be sure something subtle not sitting in there.

To open Hosts file, open Run (Winkey+R) and copy-paste the following:
%SystemRoot%\system32\drivers\etc\ and hit Enter

Open Notepad and simply drag-drop the Hosts file into it to open. Can you copy and paste ENTIRE contents in here for us? Maybe nothing, but worth a look :)

Also a little curious over results

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

And over those "no name" - "no file" references... what are your thoughts PP?

0

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host


That is all in the 'Hosts' file.

Dave

0

Hi Dave,

Try this:
Please download GooredFix
http://downloads.securitycadets.com/GooredFix.exe

* Double-click GooredFix.exe to run it.
* Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

PP :)

0

GooredFix by jpshortstuff (12.07.09)
Log created at 21:11 on 31/08/2009 (David)
Firefox version 3.0.10 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:43 26/12/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [12:25 13/05/2009]

-=E.O.F=-


It went really quick- Cmd screen flashed for only a second and this was it, no chance to select options though

0

ComboFix is not running either- same as MBA-M. I loads in the background to about 3600k memory and nothing.

I tried the rename thing and it still wouldnot load beyond the 3600k

Any other suggestions?


Dave

0

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Hi Dave -

I am a bit stretched thin, so I find that I am missing things - I didn't even see where you said Firefox doesn't re-direct.....

-- Did you reboot after running MBA-M?

The item in the quote is part of a very nasty infection - I am not sure if MBA-M will get it.
Something like this compromises any online banking and credit card info - you might want to check your banking info and change any passwords (from a clean compy, of course).

-- If you are able, please try to run SDFix from the linky below and post the log:
http://www.bleepingcomputer.com/forums/topic131299.html

I'll try to check back as time permits. Hopefully some of the other volunteers will be back soon - I'm stretched a bit thin between real work and Forums.

PP :)

0

Oh bugger, missed the last couple of responses (my fault for scanning quickly)... just got home from work so dived in :$

Have called in Crunchie as given clean hosts file and suspicions over "no file/no name" entries, am thinking might be a Combo Fix job which I know is his speciality (given regular tactics at running this utility have hit a wall, may be esp needed). Hold tight mate :)

NB: No offence PP, but know how tight your schedule is through the week :)

0

No problem PP- I can see that you are working your butt off! I also appreciate your (and all the others) vounteer time to help me out, so waiting a little bit is not a problem.

I did get ComboFix to run finally. I fell asleep and forgot where it said the log was stored. The notepad log that was on my computer this morning was blank though.

I did a quick check this morning and IE search capabilities are (appear to be) back to normal. (Search google, click through and actually get the page I'm looking for).

Unfortunately, I work away from my computer all day. I'll do another HJT Log and MBAM for your analysis.

0

ComboFix is not running either- same as MBA-M. I loads in the background to about 3600k memory and nothing.

I tried the rename thing and it still wouldnot load beyond the 3600k

Any other suggestions?

Dave

As PP said, have a go at running SDFix (although AFAIK, it has not been updated since late last year) and post it's log.

Scan with HijackThis and then place a check next to all the following, if present:

[color=#9933cc][b] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  [/b][/color] 
[color=#9933cc][b] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  [/b][/color] 
[color=#9933cc][b] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 [/b][/color] 

 O2 - BHO: (no name) - {36FF719B-0446-48E6-9F0A-FF1409CA64B5} - (no file)
 O2 - BHO: (no name) - {5D72DE28-94E9-4C44-84E1-5CCBF22C9C2A} - (no file)
 O2 - BHO: (no name) - {6C1EABBE-6A3D-4A26-843B-C7E2C4F331A5} - (no file)
 O2 - BHO: {9cd810da-a90d-a0c9-9704-989ab8a8eb48} - {84be8a8b-a989-4079-9c0a-d09aad018dc9} - (no file) 
 O2 - BHO: (no name) - {9CA40EBC-A76D-47AF-B399-433A228FDA55} - (no file)
 O2 - BHO: (no name) - {AFA57BA3-F207-45B9-998B-55537C384818} - (no file)
 O2 - BHO: (no name) - {B22C1F03-6071-4B2E-927B-7DE87587AF18} - (no file)
 O2 - BHO: (no name) - {DD6170AD-D162-4D80-A458-8F51CE65F842} - (no file)
 O2 - BHO: (no name) - {DF9DFFBD-C2C8-4E46-B86D-2179B9BE3441} - (no file)

 O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

Also try the following to get combofix going;

  • Click START then RUN
  • Now type Combofix in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Now, download ComboFix again from HERE or HERE

  • You must rename combofix BEFORE saving it to your pc.
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by mike_2000_17: Fixed formatting

Attachments CF_download_rename.gif 19.12 KB
0

I did get ComboFix to run finally. I fell asleep and forgot where it said the log was stored. The notepad log that was on my computer this morning was blank though.

I missed this post of yours, thus my previous reply.

You will find the Combofix log at C:\qoobox.

0

There was no Combo FixLog when it was done. It restarted and the notepad opened, but nothing was written to the file, and the file was not saved. Here is the quarantined files log.

2009-09-01 04:28:20 . 2009-09-01 04:28:20 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{DF9DFFBD-C2C8-4E46-B86D-2179B9BE3441}.reg.dat
2009-09-01 04:28:20 . 2009-09-01 04:28:20 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{DD6170AD-D162-4D80-A458-8F51CE65F842}.reg.dat
2009-09-01 04:28:20 . 2009-09-01 04:28:20 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{B22C1F03-6071-4B2E-927B-7DE87587AF18}.reg.dat
2009-09-01 04:28:20 . 2009-09-01 04:28:20 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{AFA57BA3-F207-45B9-998B-55537C384818}.reg.dat
2009-09-01 04:28:19 . 2009-09-01 04:28:20 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{9CA40EBC-A76D-47AF-B399-433A228FDA55}.reg.dat
2009-09-01 04:28:19 . 2009-09-01 04:28:19 352 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{84be8a8b-a989-4079-9c0a-d09aad018dc9}.reg.dat
2009-09-01 04:28:19 . 2009-09-01 04:28:19 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{6C1EABBE-6A3D-4A26-843B-C7E2C4F331A5}.reg.dat
2009-09-01 04:28:19 . 2009-09-01 04:28:19 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{5D72DE28-94E9-4C44-84E1-5CCBF22C9C2A}.reg.dat
2009-09-01 04:28:18 . 2009-09-01 04:28:18 308 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{36FF719B-0446-48E6-9F0A-FF1409CA64B5}.reg.dat
2009-09-01 03:39:40 . 2009-09-01 03:39:40 3,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Iprip.reg.dat
2009-09-01 03:39:40 . 2009-09-01 03:39:40 1,016 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_IPRIP.reg.dat
2009-09-01 03:39:19 . 2009-09-01 03:39:19 8,349 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-09-01 03:18:51 . 2009-09-01 03:19:11 1,130 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_UACd.sys.reg.dat
2009-09-01 03:18:47 . 2009-09-01 03:18:47 1,305 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_SKYNEToyktexyl.reg.dat
2009-09-01 03:12:46 . 2009-09-01 03:12:46 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-09-01 00:26:21 . 2009-09-01 00:26:21 43 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETitnmpjwm.dat.vir
2009-08-23 11:32:23 . 2009-08-25 01:20:43 264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfhqpxxnbmq.log.vir
2009-08-12 04:25:10 . 2009-08-31 10:36:37 19,968 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbfpsmgrnal.dll.vir
2009-08-12 04:25:08 . 2009-08-12 04:25:08 30,208 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACelyabuqpix.dll.vir
2009-08-12 04:25:04 . 2009-08-23 14:41:42 54,784 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACymovdksiey.sys.vir
2009-08-12 04:24:56 . 2009-08-12 04:25:07 1,110,399 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkhbfsktamx.db.vir
2009-08-12 04:24:54 . 2009-08-31 10:36:37 174 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtvshhldgcj.dat.vir
2009-08-12 04:24:51 . 2009-09-01 00:27:54 6,580 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uacinit.dll.vir
2009-08-12 04:24:50 . 2009-09-01 00:27:52 74,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjrowpjwcrt.dll.vir
2009-08-12 04:24:42 . 2009-08-12 04:24:42 26,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfwxnklltow.dll.vir
2009-08-12 04:24:40 . 2009-08-12 04:24:40 54,784 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACrrndribrqp.sys.vir
2009-08-12 04:24:34 . 2009-08-12 04:24:34 10 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\run.log.vir
2009-08-12 04:15:31 . 2009-08-12 04:15:31 20,480 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETiytjkgkk.dll.vir
2009-08-12 04:14:37 . 2009-09-01 00:26:21 727,823 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETxrqsnufv.dat.vir
2009-08-12 04:14:37 . 2009-08-12 04:14:37 44,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETqvnrjkxy.dll.vir
2009-08-12 04:14:37 . 2009-08-12 04:14:37 70,656 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETcbaivasw.sys.vir
2009-08-09 03:02:03 . 2009-08-09 03:02:03 1,697,792 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\26b84a.msp.vir
2008-07-30 02:28:10 . 2008-07-30 02:28:10 278,016 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57b0.msp.vir
2008-07-30 02:23:12 . 2008-07-30 02:23:12 250,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57b2.msp.vir
2008-07-30 02:15:12 . 2008-07-30 02:15:12 3,697,664 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57ad.msp.vir
2008-07-30 02:07:20 . 2008-07-30 02:07:20 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57a9.msp.vir
2008-07-30 01:37:56 . 2008-07-30 01:37:56 2,679,808 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57af.msp.vir
2008-07-30 01:22:42 . 2008-07-30 01:22:42 4,137,984 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57ab.msp.vir
2008-07-30 00:40:38 . 2008-07-30 00:40:38 291,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57ae.msp.vir
2008-07-30 00:34:28 . 2008-07-30 00:34:28 1,448,448 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57ac.msp.vir
2008-07-30 00:26:26 . 2008-07-30 00:26:26 1,043,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57b1.msp.vir
2008-07-30 00:18:48 . 2008-07-30 00:18:48 3,376,640 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\23f57aa.msp.vir
2008-05-25 21:09:22 . 2008-05-25 21:09:22 2,191,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3548d.msi.vir
2008-02-16 23:48:23 . 2008-02-16 23:48:23 294 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wsmjwxuj.ini.vir
2008-02-15 02:28:47 . 2008-02-15 11:47:34 654 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xsnnmwvv.ini.vir
2008-02-12 22:10:50 . 2008-02-15 11:39:18 497,924 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini2.vir
2008-02-12 22:10:42 . 2008-02-15 11:41:46 497,975 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini.vir
2008-02-12 17:46:10 . 2008-02-12 18:02:23 354 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ymkvxvna.ini.vir
2008-02-10 14:30:57 . 2008-02-10 14:31:08 534 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xppgujjn.ini.vir
2008-01-30 23:50:40 . 2008-01-31 00:47:37 1,181,047 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yihifasj.ini.vir
2008-01-29 23:45:52 . 2008-01-30 01:48:04 1,167,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wfsrxwps.ini.vir
2008-01-28 23:52:41 . 2008-01-29 11:18:04 1,162,207 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yyrdothg.ini.vir
2008-01-27 17:18:24 . 2008-01-27 17:18:36 1,142,572 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xnnoiqqc.ini.vir
2007-12-03 03:58:20 . 2008-10-28 22:13:53 2,453 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\dep32ceg.dll.vir
2007-12-03 03:58:20 . 2008-10-28 22:13:53 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\spr32snl.dll.vir
2007-12-03 03:58:20 . 2008-10-28 22:13:53 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\iopa32ul.dll.vir
2007-12-03 03:58:20 . 2008-10-28 22:13:52 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\iopb32ul.dll.vir
2007-08-10 01:04:08 . 2003-07-06 19:07:52 372,736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\IJL11.DLL.vir
2005-12-11 18:58:55 . 2005-01-07 00:56:02 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\emMon.exe.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\11ba54.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1a488.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1a4c6.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\248557a.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3dc76d0.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3dc770e.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4e6ac3a.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\5e3ef4.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\d0a072.msp.vir
2004-08-19 15:07:03 . 2004-08-05 01:00:00 2,804,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000111_.tmp.dll.vir
1998-09-04 04:09:08 . 1998-09-04 04:09:08 119,400 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir
1994-09-20 19:26:18 . 1994-09-20 19:26:18 5,288 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Fonts\AatrixMICR.ttf.vir


This was the MBA-M from this morning. (took forever to run- had to leave before it was complete)

Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 3

9/1/2009 7:52:05 PM
mbam-log-2009-09-01 (19-52-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 204061
Time elapsed: 2 hour(s), 7 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETiytjkgkk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETqvnrjkxy.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbfpsmgrnal.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfwxnklltow.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjrowpjwcrt.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETcbaivasw.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACrrndribrqp.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99846750-3D6C-435C-BE02-4C94CF5C7EF4}\RP0\A0000001.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99846750-3D6C-435C-BE02-4C94CF5C7EF4}\RP0\A0000002.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99846750-3D6C-435C-BE02-4C94CF5C7EF4}\RP0\A0000003.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99846750-3D6C-435C-BE02-4C94CF5C7EF4}\RP0\A0000004.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99846750-3D6C-435C-BE02-4C94CF5C7EF4}\RP0\A0000005.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99846750-3D6C-435C-BE02-4C94CF5C7EF4}\RP0\A0000006.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99846750-3D6C-435C-BE02-4C94CF5C7EF4}\RP0\A0000008.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


Looks to me like it was picking up on the quarantined files from last night's Combofix run.

I'll run the HJT now and post in another reply (with your suggested fixes applied)

Thanks

Dave

0

Can you do another combofix run and post the log it produces (if it does). Will need to have a look at it's contents.

0

Will do another combofix run. In the meantime... Here is the HJT Log just ran- I made the fixes, all the BHO's were gone.

I'll post the Combofix in a little bit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:07 PM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - https://www.homeconvenience.com/app/images/hcsi.png
O24 - Desktop Component 1: (no name) - https://secure.comodo.net/trustlogo/images/cot_bgf0.gif

--
End of file - 6774 bytes


Dave

0

That was quick! Here is the Combofix Log:

ComboFix 09-09-01.04 - David 09/01/2009 20:20.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1519.972 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\Combos.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-08-31 00:28 . 2009-08-31 00:28 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2009-08-30 22:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 22:40 . 2009-08-31 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 22:40 . 2009-08-30 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 22:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 18:59 . 2009-08-30 19:00 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-08-30 15:43 . 2009-08-12 16:56 574728 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OL\tmaseng.dll
2009-08-21 02:47 . 2009-08-21 02:47 -------- d-----w- C:\VundoFix Backups
2009-08-20 10:31 . 2009-08-20 10:31 -------- dc-h--w- c:\windows\ie8
2009-08-20 02:12 . 2009-08-20 02:12 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-20 01:11 . 2009-08-20 01:46 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-20 01:11 . 2009-08-20 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-08-13 00:46 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 19:53 . 2009-08-12 19:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-12 17:21 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-08-12 17:21 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-08-12 17:21 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-12 17:20 . 2009-08-12 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-12 16:56 . 2009-08-12 16:56 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-08-12 16:56 . 2009-08-12 16:56 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2009-08-12 16:56 . 2009-05-22 08:02 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-08-12 16:56 . 2009-05-22 08:00 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-08-12 16:56 . 2009-05-22 07:45 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-08-12 16:00 . 2009-08-12 16:00 -------- d-----w- c:\documents and settings\David\log
2009-08-12 15:48 . 2009-08-12 15:48 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-12 15:48 . 2009-08-12 15:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-12 04:16 . 2009-08-12 04:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 20:07 . 2005-12-11 18:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 20:04 . 2008-06-17 00:50 -------- d-----w- c:\program files\ItsDeductibleEX
2009-08-30 16:07 . 2008-01-28 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-29 23:56 . 2008-05-25 20:58 -------- d-----w- c:\program files\Trend Micro
2009-08-23 12:25 . 2008-02-02 12:05 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-20 02:12 . 2008-09-23 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-20 02:12 . 2008-09-23 11:43 -------- d-----w- c:\program files\NOS
2009-08-20 01:44 . 2006-08-12 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-14 19:40 . 2008-08-29 10:39 -------- d-----w- c:\program files\Beta DataFerrett Application
2009-08-05 09:01 . 2004-08-19 15:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-19 15:06 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 22:17 . 2009-07-15 22:17 -------- d-----w- c:\program files\iTunes
2009-07-15 22:17 . 2009-07-15 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-15 22:17 . 2009-07-15 22:17 -------- d-----w- c:\program files\iPod
2009-07-15 22:17 . 2007-09-17 16:55 -------- d-----w- c:\program files\Common Files\Apple
2009-07-15 22:14 . 2009-07-15 22:13 -------- d-----w- c:\program files\QuickTime
2009-07-15 22:06 . 2009-07-15 22:06 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-14 03:43 . 2004-08-19 15:07 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:41 . 2009-07-04 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\2F213
2009-07-03 17:09 . 2004-08-19 15:07 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-19 15:07 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-19 15:07 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-19 15:07 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-19 15:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-19 15:07 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-19 15:07 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-19 15:07 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-19 15:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-19 15:06 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-19 15:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-19 15:06 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-12-11 18:19 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-19 15:07 132096 ----a-w- c:\windows\system32\wkssvc.dll
2006-11-25 01:17 . 2006-11-25 01:18 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-01_04.19.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-20 15:48 . 2009-03-20 15:48 183808 c:\windows\Installer\322f3.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wireless Console 2"="c:\program files\ASUS\Wireless Console 2\wcourier.exe" [2005-08-23 987136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-19 737369]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-08-29 102400]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-07-23 356352]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-08-12 492808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 03:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156564357\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156564357\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ASUS\\Wireless Console 2\\wcourier.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [10/1/2007 6:02 PM 13608]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/12/2009 1:21 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [8/12/2009 1:21 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/12/2009 12:56 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/12/2009 1:21 PM 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/12/2009 12:56 PM 335376]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [5/28/2006 12:58 AM 5824]
S3 bfastfao;bfastfao;\??\c:\docume~1\David\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\David\LOCALS~1\Temp\bfastfao.sys [?]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/19/2004 11:07 AM 14336]
S3 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-09-01 c:\windows\Tasks\User_Feed_Synchronization-{23A725DF-125B-4C92-8261-996621B4982D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://news.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\luh8f7vl.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSSdk21]
"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1740)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3076)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-02 20:35
ComboFix-quarantined-files.txt 2009-09-02 00:34

Pre-Run: 12,680,441,856 bytes free
Post-Run: 12,649,691,648 bytes free

218 --- E O F --- 2009-09-02 00:10


Dave

0

seems to be working now. No extra IE launches and search goes to where I am looking (no redirects).

Should I do any anything else to be sure it will not reload?


Dave

1

I would install all MS updates and then get one, good, antivirus and firewall.
I personally use Comodo and am very happy with it. It is free too :).
Note that only ONE AV should be running on a pc at any given time.

====

Get rid of Combofix now that we are finished with it.


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.

I would also turn off system restore (if you are happy that things are back to normal), then re-enable it again. You may wish to wait a couple of days before doing this though.

==

Also consider ditching IE and go for something like Opera, or FF.

Votes + Comments
Thanks HUGELY for your eyes on this one... saved the OP a lot of stress. Thankyou :)
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.