0

Hi Gerbil,

I have the same problem like nmslagle, keep having the address redirected to fake address. can you help to check my log, below is my log.
I use FireFox as my browser.

Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:21, on 10/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Navision\Client\INSTAL~1.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\FSantoso4859\Desktop\12549\imaBunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\svchost.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Waiting1690] C:\Windows\stid1690.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TecturaCorp.net
O17 - HKLM\Software\..\Telephony: DomainName = TecturaCorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TecturaCorp.net
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\Navision\Client\INSTAL~1.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service dmadminHKHKG-SXF4859N1-SQL (dmadminHKHKG-SXF4859N1-SQL) - Unknown owner - C:\WINDOWS\system32\1033u.exe (file missing)
O23 - Service: Logical Disk Manager dmserverHKHKG-SXF4859N1-SQL (dmserverHKHKG-SXF4859N1-SQL) - Unknown owner - C:\WINDOWS\system32\ahuiu.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager RDSessMgrlanmanworkstation (RDSessMgrlanmanworkstation) - Unknown owner - C:\WINDOWS\system32\1037sb.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

--
End of file - 12549 bytes

4
Contributors
25
Replies
26
Views
8 Years
Discussion Span
Last Post by poorrich
Featured Replies
  • [QUOTE=ferrysb;1031288] I have the same problem like nmslagle, keep having the address redirected to fake address. can you help to check my log, below is my log.[/QUOTE] Please do the following: Download [url= http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button][color=Green][b]Malwarebytes' Anti-Malware (MBA-M)[/b][/color][/url] to your Desktop. [INDENT][list][*]DoubleClick [b]mbam-setup.exe[/b] and follow the prompts to install MBA-M. [*]Be sure … Read More

1

I have the same problem like nmslagle, keep having the address redirected to fake address. can you help to check my log, below is my log.

Please do the following:

Download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

  • DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Please post the MBAM and DDS logs for us. One of the regular volunteers should check back as time permits.

Cheers :)
PP

Edited by crunchie: Edited because both posts were moved.

Votes + Comments
Thanks for your help to solved the redirected firefox :)
0

Please do the following:

Download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

  • DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Please post the MBAM and DDS logs for us. One of the regular volunteers should check back as time permits.

Cheers :)
PP

Thanks for your response.
I did what you said, i use MBAM and DDS, attached is my log.

Please help me to check it

Thanks a lot guys.......


Malwarebytes' Anti-Malware 1.41
Database version: 3059
Windows 5.1.2600 Service Pack 2

10/30/2009 17:22:16
mbam-log-2009-10-30 (17-22-16).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 237286
Time elapsed: 56 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{y101y238-s37i-3bv5-f7i2-r5o5yr7rpe2w} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\svchost.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\FSantoso4859\Local Settings\Temp\a.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

Edited by crunchie: Paste in log

Attachments
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/18/2008 17:01:31
System Uptime: 10/30/2009 20:58:33 (1 hours ago)

Motherboard: LENOVO |  | 7673BF9
Processor: Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz | None | 1995/200mhz
Processor: Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz | None | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 106 GiB total, 18.743 GiB free.
D: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP500: 10/16/2009 16:53:31 - System Checkpoint
RP501: 10/16/2009 16:53:32 - System Checkpoint
RP502: 10/16/2009 16:53:32 - System Checkpoint
RP503: 10/16/2009 16:53:32 - System Checkpoint
RP504: 10/16/2009 16:53:33 - System Checkpoint
RP505: 10/16/2009 16:53:33 - System Checkpoint
RP506: 10/16/2009 16:53:33 - System Checkpoint
RP507: 10/16/2009 16:53:33 - System Checkpoint
RP508: 10/16/2009 16:53:34 - System Checkpoint
RP509: 10/16/2009 16:53:34 - System Checkpoint
RP510: 10/16/2009 16:53:34 - System Checkpoint
RP511: 10/16/2009 16:53:35 - System Checkpoint
RP512: 10/16/2009 16:53:35 - System Checkpoint
RP513: 10/16/2009 16:53:35 - System Checkpoint
RP514: 10/16/2009 16:53:36 - System Checkpoint
RP515: 10/16/2009 16:53:36 - System Checkpoint
RP516: 10/16/2009 16:53:36 - System Checkpoint
RP517: 10/16/2009 16:53:37 - System Checkpoint
RP518: 10/16/2009 16:53:37 - System Checkpoint
RP519: 10/16/2009 16:53:37 - System Checkpoint
RP520: 10/16/2009 16:53:38 - System Checkpoint
RP521: 10/16/2009 16:53:38 - System Checkpoint
RP522: 10/16/2009 16:53:38 - System Checkpoint
RP523: 10/16/2009 16:53:39 - System Checkpoint
RP524: 10/16/2009 16:53:39 - Removed Cisco Systems VPN Client 5.0.00.0340
RP525: 10/16/2009 16:53:40 - Installed product_name_not_used
RP526: 10/16/2009 16:53:40 - Removed product_name_not_used
RP527: 10/16/2009 16:53:41 - System Checkpoint
RP528: 10/16/2009 16:53:41 - System Checkpoint
RP529: 10/16/2009 16:53:41 - System Checkpoint
RP530: 10/16/2009 16:53:42 - System Checkpoint
RP531: 10/16/2009 16:53:42 - System Checkpoint
RP532: 10/16/2009 22:19:35 - System Checkpoint
RP533: 10/16/2009 23:24:08 - Configured PhotoNow
RP534: 10/18/2009 00:51:32 - System Checkpoint
RP535: 10/18/2009 13:29:55 - Installed Cisco Systems VPN Client 5.0.00.0340
RP536: 10/19/2009 20:39:21 - System Checkpoint
RP537: 10/20/2009 23:21:32 - Installed Windows XP KB942288-v3.
RP538: 10/21/2009 21:41:04 - Installed Windows XP WIC.
RP539: 10/21/2009 21:52:10 - Installed Windows KB954550-v5.
RP540: 10/21/2009 21:52:21 - Printer Driver Microsoft XPS Document Writer Installed
RP541: 10/21/2009 21:52:34 - Printer Driver Microsoft XPS Document Writer Installed
RP542: 10/22/2009 22:21:43 - System Checkpoint
RP543: 10/24/2009 10:56:15 - System Checkpoint
RP544: 10/26/2009 10:02:59 - System Checkpoint
RP545: 10/27/2009 17:08:16 - System Checkpoint
RP546: 10/28/2009 23:42:29 - System Checkpoint

==== Installed Programs ======================

Torrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
3 DataModem HSDPA
7-Zip 4.57
ACDSee 5.0 Standard
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avanquest update
AviSynth 2.5
Bonjour
Cisco Systems VPN Client 5.0.00.0340
Citrix XenApp Web Plugin
CutePDF Writer 2.7
Developer's Toolkit for Microsoft Dynamics NAV
FlashGet(JetCar)
FLV Player 2.0, build 24
GDR 1406 for SQL Server Database Services 2005 ENU (KB932557)
GDR 1406 for SQL Server Integration Services 2005 ENU (KB932557)
GDR 1406 for SQL Server Tools and Workstation Components 2005 ENU (KB932557)
GunboundWC
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
IrfanView (remove only)
iTunes
Java(TM) 6 Update 5
JPEG Camera v1.02
K-Lite Codec Pack 4.4.5 (Full)
LibUSB-Win32-0.1.12.1
LS Retail Toolbox
Malwarebytes' Anti-Malware
Megaupload Toolbar
MetaFrame Presentation Server Web Client for Win32
Microsoft  File Transfer Manager
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Dynamics NAV 5.0 CSIDE Client
Microsoft Dynamics NAV 5.0 SP1 Application Server
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders  (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English)
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Tools
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
MobileMe Control Panel
Motorola Driver Installation 3.7.0
Mozilla Firefox (3.5.4)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
On Screen Display
QuickFreedom 1.2.0
QuickTime
Real Alternative 1.7.5
Safari
SAMSUNG CDMA Modem Driver Set
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP
Malwarebytes' Anti-Malware 1.41
Database version: 3059
Windows 5.1.2600 Service Pack 2

10/30/2009 17:22:16
mbam-log-2009-10-30 (17-22-16).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 237286
Time elapsed: 56 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{y101y238-s37i-3bv5-f7i2-r5o5yr7rpe2w} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Program Files\Common Files\svchost.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\FSantoso4859\Local Settings\Temp\a.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
0

Thanks a lot guys.......

Happy to help :)

-- I need to see the DDS.txt
Run it again and copy and paste that into your reply.
I don't need another attach.txt. Just the DDS.txt.

I will check back as time permits over the weekend.

PP :)

0

Thanks for your response.
I did what you said, i use MBAM and DDS, attached is my log.

Please just paste your logs into your reply (do not attach) unless requested to do otherwise.

0

Happy to help :)

-- I need to see the DDS.txt
Run it again and copy and paste that into your reply.
I don't need another attach.txt. Just the DDS.txt.

I will check back as time permits over the weekend.

PP :)

ah, sorry, here we go, the DDS.txt
thanks...

DDS (Ver_09-10-26.01) - NTFSx86
Run by FSantoso4859 at 8:40:31.51 on Sat 10/31/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1190 [GMT 8:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Navision\Client\INSTAL~1.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\msiexec.exe
svchost.exe "C:\WINDOWS\system32\ahuiu.exe"
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\FSantoso4859\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\progra~1\flashget\jccatch.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [P2kAutostart]
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [TrackPointSrv] tp4mon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\fsanto~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
mPolicies-system: EnableLUA = 0 (0x0)
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\mbs
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fsanto~1\applic~1\mozilla\firefox\profiles\papnscwi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://hk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-3-18 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-3-18 38528]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-3-18 4442]
R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\navision\client\INSTAL~1.EXE [2007-4-3 217215]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-6-3 80936]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-14 11152]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-10-21 28672]
S2 dmadminHKHKG-SXF4859N1-SQL;Logical Disk Manager Administrative Service dmadminHKHKG-SXF4859N1-SQL;c:\windows\system32\1033u.exe srv --> c:\windows\system32\1033u.exe srv [?]
S2 dmserverHKHKG-SXF4859N1-SQL;Logical Disk Manager dmserverHKHKG-SXF4859N1-SQL;c:\windows\system32\ahuiu.exe srv --> c:\windows\system32\ahuiu.exe srv [?]
S2 RDSessMgrlanmanworkstation;Remote Desktop Help Session Manager RDSessMgrlanmanworkstation;c:\windows\system32\1037sb.exe srv --> c:\windows\system32\1037sb.exe srv [?]
S2 RDSessMgrW3SVC;Remote Desktop Help Session Manager RDSessMgrW3SVC;c:\windows\system32\1037su.exe srv --> c:\windows\system32\1037su.exe srv [?]
S2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
S2 SpoolerHKHKG-SXF4859N1-CLASSIC;Print Spooler SpoolerHKHKG-SXF4859N1-CLASSIC;c:\windows\system32\ac3acmq.exe srv --> c:\windows\system32\ac3acmq.exe srv [?]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [2007-8-29 153344]
S3 HeathDev;Application Server for Microsoft Dynamics NAV HeathDev;c:\navision\application server\nassql.exe [2009-8-28 1930360]
S3 HeathDev_2;Application Server for Microsoft Dynamics NAV HeathDev_2;c:\navision\application server 2\nassql.exe [2009-8-28 1930360]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-3-11 42112]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ZSMC302;PLEOMAX PWC-3800;c:\windows\system32\drivers\usbvm302.sys --> c:\windows\system32\drivers\usbvm302.sys [?]
S4 HKHKG-SXF4859N1-CLASSIC;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-CLASSIC;c:\program files\microsoft dynamics nav\application server\nas.exe [2008-2-14 1860728]
S4 HKHKG-SXF4859N1-SQL;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-SQL;c:\program files\microsoft dynamics nav\application server\nassql.exe [2008-2-14 1930360]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-1-13 14976]

=============== Created Last 30 ================

2009-10-27 11:11:08 32256 ----a-w- C:\Item Create 01.xls
2009-10-27 11:11:08 100864 ----a-w- C:\Item Amend Test Case.xls
2009-10-26 15:31:30 121344 ----a-w- C:\Outstanding Task List.xls
2009-10-23 12:57:38 0 d-----w- c:\program files\WinSCP
2009-10-21 14:33:39 43520 ----a-w- c:\windows\system32\libusb0.dll
2009-10-21 14:33:39 28672 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-10-21 14:33:39 0 d-----w- c:\program files\LibUSB-Win32
2009-10-21 14:29:00 933888 ----a-w- c:\windows\system32\SENXPCTL.OCX
2009-10-21 14:29:00 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2009-10-21 14:28:59 65536 ----a-w- c:\windows\system32\device.OCX
2009-10-21 14:28:59 32768 ----a-w- c:\windows\system32\Bar.OCX
2009-10-21 14:28:59 224016 ----a-w- c:\windows\system32\tabctl32.OCX
2009-10-21 14:28:59 140096 ----a-w- c:\windows\system32\COMDLG32.OCX
2009-10-21 14:28:59 0 d-----w- c:\program files\QuickFreedom
2009-10-21 14:26:12 0 d-----w- c:\docume~1\alluse~1\applic~1\iPodtoComputer
2009-10-21 14:25:49 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-10-21 14:25:48 6144 ----a-w- c:\windows\system32\ff_acm.acm
2009-10-21 14:25:44 499712 ----a-w- c:\windows\system32\MSVCP71.DLL
2009-10-21 14:25:44 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-10-21 14:25:41 0 d-----w- c:\program files\Cucusoft
2009-10-21 14:23:35 0 d-----w- c:\docume~1\fsanto~1\applic~1\GetRightToGo
2009-10-21 13:53:13 0 d-----w- c:\windows\system32\XPSViewer
2009-10-21 13:51:57 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-21 13:51:56 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-21 13:51:56 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-21 13:51:56 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-21 13:51:56 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-21 13:51:56 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-21 13:51:56 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-21 13:51:56 0 d-----w- C:\36300c4706e967932a170e731a941f
2009-10-21 13:51:14 0 d-----w- c:\windows\SxsCaPendDel
2009-10-17 14:00:02 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-10-16 08:53:49 104 --s-a-w- c:\windows\system32\440199740.dat
2009-10-15 01:57:45 9254180 ----a-w- C:\Item Master Templates_20091008_Item - Some Fields + 1500 error records.xlsx
2009-10-12 03:23:35 0 d-----w- c:\program files\Millennium Trader 4
2009-10-09 02:36:29 0 d-----w- c:\docume~1\fsanto~1\applic~1\Malwarebytes
2009-10-09 02:36:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 02:36:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 02:36:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-09 02:36:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 15:39:57 0 d-----w- c:\program files\common files\Deterministic Networks
2009-10-02 12:24:05 0 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-10-02 12:23:06 0 d-----w- c:\program files\Microsoft

==================== Find3M ====================

2009-09-13 14:44:22 64796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-28 11:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-06 11:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 11:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2006-02-28 12:00:00 61952 --sh--r- c:\windows\system32\1037su.exe
2006-02-28 12:00:00 61952 --sh--r- c:\windows\system32\ac3acmq.exe
2006-02-28 12:00:00 61952 --sh--r- c:\windows\system32\ahuiu.exe

============= FINISH: 8:41:34.43 ===============

Edited by ferrysb: n/a

0

ah, sorry, here we go, the DDS.txt
thanks...

Sorry for the late reply - busy weekend.

I do not see much there - A few things I do not recognize, but that doesn't make them baddies...

-- You do need to update your Java and Adobe Reader and remove the old versions.

How are things running now? Are you still being redirected?

PP :)

0

Sorry for the late reply - busy weekend.

I do not see much there - A few things I do not recognize, but that doesn't make them baddies...

-- You do need to update your Java and Adobe Reader and remove the old versions.

How are things running now? Are you still being redirected?

PP :)

Thanks for the reply.

i just tried my firefox. it still redirected. I don't know about the common symptom for this spyware, but I will get redirected if i search using the google toolbar, and right click on the result to open on new tab. it will get redirected to another site...

thanks.

0

i just tried my firefox. it still redirected. I don't know about the common symptom for this spyware, but I will get redirected if i search using the google toolbar, and right click on the result to open on new tab. it will get redirected to another site...

OK - Let's do this before breaking out the big guns:

Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

See if you are still being redirected and we'll go from there.

PP :)

Edited by PhilliePhan: The Usual. . . .

0

OK - Let's do this before breaking out the big guns:

Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

See if you are still being redirected and we'll go from there.

PP :)

I run the program you mention.
Wow, seems it's fixed.... but let me test further for the google toolbar search engine. ...
..
..
after a few test to search on my firefox... it seems it's already fixed... it didn't redirected to fake web...

err... i'm not so sure, what the tools did to my system, did it remove something ?

Thanks very much!!!

Below is the log FYI :

GooredFix by jpshortstuff (24.09.09.1)
Log created at 00:13 on 04/11/2009 (myuserID)
Firefox version 3.5.4 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:34 18/03/2008]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [13:07 26/04/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:54 21/10/2009]

-=E.O.F=-

Edited by ferrysb: update

0

err... i'm not so sure, what the tools did to my system, did it remove something ?

I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP :)

0

I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP :)

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.

Thanks for your help.

0

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.
Thanks for your help.

Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP :)

0

Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP :)

Hi Hi, below is my log for GMER. I run it with no internet connection, and my antivirus is disabled.
Pls help to check.
Thanks.
Thanks.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 04:57:21
Windows 5.1.2600 Service Pack 2
Running: 2pe32u84.exe; Driver: C:\DOCUME~1\FSANTO~1\LOCALS~1\Temp\kfryypoc.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [1002DE60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRect] [1002DED0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

Device \Driver\iaStor \Device\Ide\iaStor0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

0

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

That log looks OK other than the above. Let's look at this one further:

Please go here ---> and use the Browse Button at the top of the page to navigate to C:\WINDOWS\system32\drivers\iaStor.sys and Upload it for analysis.
Let me know what you find.

This seems familiar to me - I think I've seen it before.....

PP :)

0

This seems familiar to me - I think I've seen it before.....

I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.


Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers :)
PP

0

I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.


Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers :)
PP

wow, you really know a lot 'bout this :D
I Scanned using jotti's malware. And all of the scan found nothing on the file.

Will try using this combofix. And let you know the result.
Thanks.

0

wow, you really know a lot 'bout this :D
I Scanned using jotti's malware. And all of the scan found nothing on the file.
Will try using this combofix. And let you know the result.
Thanks.

Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP :)

0

Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP :)

seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks :)


ComboFix 09-11-04.05 - FSantoso4859 11/06/2009 0:03.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1551 [GMT 8:00]
Running from: c:\documents and settings\FSantoso4859\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-790525478-1958367476-682003330-1003
c:\recycler\S-1-5-21-790525478-1958367476-682003330-500
c:\windows\run.log
c:\windows\system32\1028x.exe
c:\windows\system32\3937169366.dat
c:\windows\system32\440199740.dat
c:\windows\system32\ac3acmq.exe
c:\windows\system32\accesshw.exe
c:\windows\system32\ahuiu.exe
c:\windows\system32\Cache
c:\windows\Temp\1185792423.exe
c:\windows\Temp\181391922.exe
c:\windows\Temp\2741779961.exe

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMADMINHKHKG-SXF4859N1-SQL
-------\Legacy_DMSERVERHKHKG-SXF4859N1-SQL
-------\Legacy_LANMANSERVERCOMSYSAPP
-------\Legacy_RDSESSMGRLANMANWORKSTATION
-------\Legacy_SPOOLERHKHKG-SXF4859N1-CLASSIC
-------\Legacy_UPSSAMSS
-------\Service_dmadminHKHKG-SXF4859N1-SQL
-------\Service_dmserverHKHKG-SXF4859N1-SQL
-------\Service_lanmanserverCOMSysApp
-------\Service_RDSessMgrlanmanworkstation
-------\Service_SpoolerHKHKG-SXF4859N1-CLASSIC
-------\Service_UPSSamSs


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 16:15 . 2009-11-05 16:15 32 ------w- c:\windows\system32\440199740.dat
2009-11-05 15:58 . 2006-02-28 12:00 13952 -c--a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-05 15:58 . 2006-02-28 12:00 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-05 12:33 . 2004-08-11 04:01 119864 ------w- c:\windows\system32\drivers\IpSecDrv.sys
2009-11-05 12:33 . 2004-08-11 05:22 61492 ------w- c:\windows\system32\cmondll.dll
2009-11-05 12:33 . 2004-08-11 05:22 28726 ------w- c:\windows\system32\SnPolicy.dll
2009-11-05 12:33 . 2004-08-11 05:22 188470 ------w- c:\windows\system32\IreComn.dll
2009-11-05 12:33 . 2004-07-30 05:20 521786 ------w- c:\windows\system32\drivers\Crypto.sys
2009-11-05 12:33 . 2004-07-30 05:20 90166 ------w- c:\windows\system32\IreSC.dll
2009-11-05 12:33 . 2004-07-30 05:19 335930 ------w- c:\windows\system32\IreCGX.dll
2009-11-05 12:33 . 2004-07-30 05:19 151612 ------w- c:\windows\system32\IreBase.dll
2009-11-05 12:33 . 2002-12-06 07:42 207120 ------r- c:\windows\system32\Msoss.dll
2009-11-05 12:32 . 2009-11-05 12:32 -------- d-----w- c:\program files\Juniper
2009-11-05 12:32 . 2004-08-11 05:22 323636 ------w- c:\windows\system32\IreMgmt.dll
2009-11-05 12:32 . 2002-12-06 07:42 78848 ------r- c:\windows\system32\soedber.dll
2009-11-05 12:32 . 2002-12-06 07:42 46080 ------r- c:\windows\system32\soedapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 23552 ------r- c:\windows\system32\ossapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 16896 ------r- c:\windows\system32\ossdmem.dll
2009-11-05 12:32 . 2002-12-06 07:42 11264 ------r- c:\windows\system32\soedoid.dll
2009-11-05 12:32 . 2002-12-06 07:42 28160 ------r- c:\windows\system32\cstrain.dll
2009-11-05 12:32 . 2001-11-07 03:48 143360 ------w- c:\windows\system32\nsldap32v50.dll
2009-11-03 14:45 . 2009-11-03 14:45 21504 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-23 12:57 . 2009-10-23 12:57 -------- d-----w- c:\program files\WinSCP
2009-10-21 14:33 . 2009-10-21 14:33 -------- d-----w- c:\program files\LibUSB-Win32
2009-10-21 14:33 . 2007-03-20 03:33 28672 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-10-21 14:33 . 2007-03-20 03:33 43520 ----a-w- c:\windows\system32\libusb0.dll
2009-10-21 14:28 . 2009-10-21 14:30 -------- d-----w- c:\program files\QuickFreedom
2009-10-21 14:26 . 2009-10-21 14:26 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2009-10-21 14:26 . 2009-10-21 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\iPodtoComputer
2009-10-21 14:25 . 2008-06-15 02:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-10-21 14:25 . 2003-03-18 14:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-10-21 14:25 . 2003-03-18 13:14 499712 ----a-w- c:\windows\system32\MSVCP71.DLL
2009-10-21 14:25 . 2009-10-21 14:25 -------- d-----w- c:\program files\Cucusoft
2009-10-21 14:25 . 2009-10-21 14:25 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-10-21 14:23 . 2009-10-21 14:25 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\GetRightToGo
2009-10-21 14:22 . 2009-10-21 14:24 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-10-21 14:21 . 2009-10-21 14:21 -------- d-----w- c:\program files\Microsoft SDKs
2009-10-21 13:53 . 2009-10-21 13:53 175752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-21 13:53 . 2009-10-21 13:53 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-21 13:52 . 2009-10-21 13:52 -------- d-----w- c:\program files\Reference Assemblies
2009-10-21 13:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-21 13:51 . 2009-10-21 13:52 -------- d-----w- C:\36300c4706e967932a170e731a941f
2009-10-21 13:51 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-21 13:51 . 2009-10-21 13:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-17 14:00 . 2009-10-17 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-17 13:59 . 2009-10-17 13:59 836464 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-10-17 13:59 . 2009-10-17 13:59 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-17 13:59 . 2009-10-18 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-14 02:47 . 2007-02-12 09:46 3096576 ---ha-w- c:\documents and settings\FSantoso4859\Application Data\U3\temp\Launchpad Removal.exe
2009-10-12 03:23 . 2009-10-16 15:25 -------- d-----w- c:\program files\Millennium Trader 4
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 02:36 . 2009-10-30 08:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 15:49 . 2008-03-20 05:16 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\uTorrent
2009-11-05 12:32 . 2009-10-05 15:39 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-11-05 03:42 . 2009-06-12 02:03 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\webex
2009-10-21 14:27 . 2008-03-18 09:37 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-21 14:27 . 2008-03-18 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:23 . 2008-03-18 10:30 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-21 14:03 . 2008-03-18 10:25 80120 ----a-w- c:\documents and settings\FSantoso4859\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 13:28 . 2008-03-18 10:45 -------- d-----w- c:\program files\FlashGet
2009-10-14 06:00 . 2008-04-29 04:37 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\U3
2009-10-14 02:18 . 2008-03-18 07:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-02 12:24 . 2009-10-02 12:23 -------- d-----w- c:\program files\Microsoft
2009-10-02 12:24 . 2009-10-02 12:24 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-13 14:44 . 2009-09-13 14:44 64796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-12 02:20 . 2008-11-02 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 02:18 . 2008-11-02 12:13 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Apple Computer
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\program files\iTunes
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 15:12 . 2009-09-11 15:12 -------- d-----w- c:\program files\iPod
2009-09-11 15:12 . 2008-11-02 12:10 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 15:10 . 2009-09-11 15:09 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:41 . 2009-09-11 14:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-08-28 11:42 . 2009-03-15 16:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 11:42 . 2008-11-02 12:22 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 03:04 . 2008-03-18 03:36 87643 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-08-16 09:42 . 2008-08-16 09:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 09:42 . 2008-08-16 09:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 09:42 . 2008-08-16 09:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 09:42 . 2008-08-16 09:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 09:43 . 2008-08-16 09:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 09:42 . 2008-08-16 09:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 09:42 . 2008-08-16 09:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 00:41 . 2008-05-21 00:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 00:41 . 2008-05-21 00:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 00:41 . 2008-05-21 00:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 05:58 . 2008-06-05 05:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 09:42 . 2008-08-16 09:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2006-02-28 12:00 . 2006-02-28 12:00 61952 --sh--r- c:\windows\system32\1037su.exe
.

------- Sigcheck -------

[7] 2006-02-28 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-14 49168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TrackPointSrv"="tp4mon.exe" - c:\windows\system32\tp4mon.exe [2004-08-04 82432]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-02-28 53760]

c:\documents and settings\FSantoso4859\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-8 245760]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 576104]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-18 50688]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-11-5 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 14:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Navision\\Client\\Parsons\\Nav. Client 3.7b\\AtDebug.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 DataModem HSDPA.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Navision\\Installer\\NAV5SP1\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\5.0 SP1 NA\\DVD_Signed\\CsideClient\\program files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\NAV4\\AtDebug.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16272:TCP"= 16272:TCP:BitCometLite 16272 TCP
"16272:UDP"= 16272:UDP:BitCometLite 16272 UDP

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 18:32 19504]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/18/2008 17:11 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/18/2008 17:11 38528]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [11/5/2009 20:33 521786]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [6/3/2009 17:06 80936]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 22:10 11152]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [8/15/2008 11:11 36188]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [10/21/2009 22:33 28672]
S2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [11/5/2009 20:33 119864]
S2 RDSessMgrW3SVC;Remote Desktop Help Session Manager RDSessMgrW3SVC;c:\windows\system32\1037su.exe srv --> c:\windows\system32\1037su.exe srv [?]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 20:04 98304]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [8/29/2007 12:01 153344]
S3 HeathDev;Application Server for Microsoft Dynamics NAV HeathDev;c:\navision\Application Server\nassql.exe [8/28/2009 10:17 1930360]
S3 HeathDev_2;Application Server for Microsoft Dynamics NAV HeathDev_2;c:\navision\Application Server 2\nassql.exe [8/28/2009 14:04 1930360]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/11/2009 23:24 42112]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 23:12 202096]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ZSMC302;PLEOMAX PWC-3800;c:\windows\system32\Drivers\usbvm302.sys --> c:\windows\system32\Drivers\usbvm302.sys [?]
S4 HKHKG-SXF4859N1-CLASSIC;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-CLASSIC;c:\program files\Microsoft Dynamics NAV\Application Server\nas.exe [2/14/2008 16:50 1860728]
S4 HKHKG-SXF4859N1-SQL;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-SQL;c:\program files\Microsoft Dynamics NAV\Application Server\nassql.exe [2/14/2008 16:51 1930360]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 07:01 2799808]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [1/13/2009 01:10 14976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-03-18 17:30]

2009-10-30 c:\windows\Tasks\Weekly Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 16:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: microsoft.com\mbs
FF - ProfilePath - c:\documents and settings\FSantoso4859\Application Data\Mozilla\Firefox\Profiles\papnscwi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://hk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-P2kAutostart - (no file)
AddRemove-HDMI - c:\windows\system32\igxpun.exe
AddRemove-HijackThis - c:\documents and settings\FSantoso4859\Desktop\xxxxx\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll

- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 0:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 16:30

Pre-Run: 18,721,177,600 bytes free
Post-Run: 19,121,467,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

0

seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks :)

Happy to help :)

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....


Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.


Let me know how things are working and we can wrap this up.

Cheers :)
PP

Edited by PhilliePhan: Added info....

0

Happy to help :)

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....


Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.


Let me know how things are working and we can wrap this up.

Cheers :)
PP

I did the ATF Cleaner.
looks like i'm not being redirected anymore. so It's solved.
Thanks a lot :)

0

hi hi, after i did the ATF on the firefox, seems something wrong with my firefox, when i open daniweb, all the font will be on the middle, and the appearance looks weird...
although not all web will be like this. only some web, already tried to reinstal firefox, do you know why ? is it blocked some of the plug-in ?

thanks

0

hi hi, after i did the ATF on the firefox, seems something wrong with my firefox, when i open daniweb, all the font will be on the middle, and the appearance looks weird...
although not all web will be like this. only some web, already tried to reinstal firefox, do you know why ? is it blocked some of the plug-in ?

I do not know - This is the first time I've heard of that. I use ATFCleaner a lot and have never had an issue with Firefox.
Have a look at this thread: ATFCleaner and Firefox
Does that help?


Since the redirect is gone. let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Let me know if you are still having problems with Firefox and we'll see what we can do.

PP :)

Edited by PhilliePhan: The Usual....

0

hi, i go the forum you mentioned, it said i need to clear cookies/cache of firefox, and it's worked, the firefox is back to normal.
and now the firefox is not being redirected anymore..
thanks a lot !

0

hi, i go the forum you mentioned, it said i need to clear cookies/cache of firefox, and it's worked, the firefox is back to normal.
and now the firefox is not being redirected anymore..
thanks a lot !

Excellent!

You're Welcome - Glad I could help :)

PP

0

I have the same problem. I have had McAfee virus removal team working on it for two days and they could not remove the virus in the thread. I ran Malwarebytes and DDS this did not remove the problem, can you help? I ran both tools in safe mode and Malwarebytes states that it removed all virus'. Here is my dds.txt

.
DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by HP_Administrator at 23:25:00 on 2011-06-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.641 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.

Thank you for the help

Attachments
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/15/2007 9:33:12 PM
System Uptime: 6/4/2011 11:21:39 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | Puffer2  
Processor:               Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3201/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 179 GiB total, 137.405 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.863 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A0B103C&REV_10\4&23C0B1C&0&10F0
Manufacturer: Realtek
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A0B103C&REV_10\4&23C0B1C&0&10F0
Service: rtl8139
.
Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description: 
Device ID: ROOT\MONITOR\0000
Manufacturer: HP
Name: 
PNP Device ID: ROOT\MONITOR\0000
Service: 
.
==== System Restore Points ===================
.
RP2: 6/1/2011 11:51:52 PM - System Checkpoint
RP3: 6/2/2011 2:06:36 PM - Software Distribution Service 3.0
RP4: 6/2/2011 9:11:58 PM - Removed Bing Maps 3D
RP5: 6/2/2011 9:15:54 PM - Removed Google Earth.
RP6: 6/2/2011 9:19:15 PM - Removed Microsoft WorldWide Telescope
RP7: 6/3/2011 12:16:33 PM - Software Distribution Service 3.0
RP8: 6/4/2011 12:50:07 PM - Software Distribution Service 3.0
RP9: 6/4/2011 3:00:17 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
1000Tour
1200
1200_Help
1200Trb
Acrobat.com
ActivePerl 5.10.0 Build 1005
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9.1.3
Agere Systems PCI Soft Modem
AI RoboForm (All Users)
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Aptana Studio 2.0
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
Auslogics Disk Defrag
Batch Image Resizer 3.5
Bonjour
BufferChm
Cartes du Ciel
ColorPic
Conduit Engine
Copy
Coupon Printer for Windows
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
e-Sword
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Eudora
Evernote v. 4.3.1
FastCGI 1.5 (x86) RTW
Fax
FileZilla Client 3.4.0
FreeMind
GIMP 2.6.8
Google Chrome
Google Update Helper
GoToMeeting 4.5.0.458
GTK+ 2.8.18-1 runtime environment
Help and Support Additions
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet Preloaded Printer Drivers
HP Diagnostic Assistant
HP Image Zone 4.5.3
HP Image Zone for Media Center PC
HP Image Zone Plus 4.5.3
HP LCD Monitor Driver Software 2.00
HP PSC & OfficeJet 4.0
HP Tunes
HP Update
HPIZplus450
HPODiscovery
HpSdpAppCoreApp
ImageMixer VCD2 for FinePix
InfraRecorder
InstantShare
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 10
Jarte 4.3
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 13
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Jing
Junk Mail filter update
Keyword Blueprint 2
LAME v3.98.3 for Audacity
LS_HSI
Malwarebytes' Anti-Malware version 1.51.0.1200
Market Samurai
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office Standard Edition 2003
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Visual Studio Web Authoring Component
Microsoft Works
Microsoft XML Parser
MicroStaff WINASPI
Mozilla Firefox 4.0.1 (x86 en-US)
MR97113
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
muvee autoProducer 3.5 magicMoments - HPD
muvee autoProducer unPlugged - HPD
MySQL Connector Net 6.1.3
Nero OEM
neroxml
NETGEAR GA311 Gigabit Adapter
NETGEAR GA311 Smart Wizard Utility
OpenOffice.org 3.1
Otto
PanoStandAlone
PC-Doctor for Windows
Peachtree Accounting 2005
PhotoGallery
PhotoJoy
PhotoJoy Bar Toolbar
PHP 5.2.13
PHP Editor 2.22
PrintScreen
ProductContext
QFolder
QuickProjects
QuickTime
Readme
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6773

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/4/2011 11:01:36 PM
mbam-log-2011-06-04 (23-01-36).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 377236
Time elapsed: 45 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FX - Video Converter (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Value: wxfw.dll -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=196&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\all users\application data\06462523 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\hp_administrator\application data\Sun\Java\deployment\cache\6.0\41\4d5a3e9-565fd2b3 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\my documents\video converter\videoconvertersetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\program files\foxtabvideoconverter\uninstall\uninstall.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP6\A0002656.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\06462523\06462523.cfg (Rogue.Multiple) -> Quarantined and deleted successfully.
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.