1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Browser redirecting

Discussion in 'Virus & Other Malware Removal' started by Lyrithe, Sep 30, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Lyrithe

    Lyrithe Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    8
    I am having an issue with my web browsers IE and firefox where when I do a google search, yahoo search, or any other serach the results listed always redirect me to some random advertisement site. I can still click the cached link in google to get the page I want but its very slow. Also at random times an instance of IE will run in the background (where I cannot see it) and load up an advertisement and play music, the only way I can kill it is via the processes list in task manager.

    Also, my browser will not allow me to type addresses in the address bar, it will always give me "page cannot be displayed" errors. I have to click on a link to go somewhere.

    Spybot S&D did not fix it. Neither did Adaware. Any help would be appreciated. Hijackthis log is below:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:50:36 AM, on 9/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\WINDOWS\System32\ups.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\CASIO\Photo Loader\Plauto.exe
    C:\Program Files\ePrompter\ePrompter.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe C:\PROGRA~1\PARENT~1\ParentalFilter.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [C:\Documents and Settings\Colby\Desktop\BlackBerry_JDE_4.3.0.exe] C:\Documents and Settings\Colby\Desktop\BlackBerry_JDE_4.3.0.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.startekconnect.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.63-big/GoogleNav.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://saturn.installshield.com/ispro/701/eval/oci/setup.exe
    O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

    --
    End of file - 10561 bytes
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first

    Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
    To disable SpybotSD TeaTimer:

    Open Spybot and click on Mode and check Advanced Mode
    Check yes to next window.
    Click on Tools in bottom left hand corner.
    Click on System Startup icon.
    Uncheck Teatimer box.
    Click Allow Change box.

    You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

    then
    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.
     
  3. Lyrithe

    Lyrithe Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    8
    I have done as you requested and the log is displayed below. I did a quick check before coming back here and it appears to not be redirecting anymore. Hopefully you will be able to look at the log and double check that for me. Also just to let you know in case it helps, before doing this when I was getting the redirecting, I noticed when I did a google search or yahoo search I was seeing on the status bar: retrieving data from web-analytics.google.com or web-analytics.yahoo.com. Links to websites said something like go.google.com with some stuff attached to the end.

    Anyway, this appears to be gone for now but I would appreciate your opinion.




    Malwarebytes' Anti-Malware 1.28
    Database version: 1225
    Windows 5.1.2600 Service Pack 2

    9/30/2008 1:04:10 PM
    mbam-log-2008-09-30 (13-04-10).txt

    Scan type: Quick Scan
    Objects scanned: 55391
    Time elapsed: 5 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 15
    Registry Values Infected: 2
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpfsched (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\hpfsched.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.24.dll (Adware.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.24.inf (Adware.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  5. Lyrithe

    Lyrithe Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    8
    All information after running combofix is below hijackthis report is first:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:52:35 PM, on 9/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\TSC.EXE
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\CASIO\Photo Loader\Plauto.exe
    C:\Program Files\ePrompter\ePrompter.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.startekconnect.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.63-big/GoogleNav.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://saturn.installshield.com/ispro/701/eval/oci/setup.exe
    O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

    --
    End of file - 10049 bytes

    =======================================================


    ComboFix 08-09-30.01 - Colby 2008-09-30 16:17:59.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT -5:00]
    Running from: C:\Documents and Settings\Colby\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Colby\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Colby\Cookies\[email protected][2].txt
    C:\Documents and Settings\Colby\Cookies\[email protected][2].txt
    C:\Documents and Settings\Colby\My Documents\ICROSO~1
    C:\Documents and Settings\Colby\My Documents\ICROSO~1\mmc.exe
    C:\Documents and Settings\Colby\My Documents\WNSXS~1
    C:\Documents and Settings\Colby\My Documents\WNSXS~1\r?gedit.exe
    C:\test.txt
    C:\WINDOWS\Downloaded Program Files\setup.dll
    C:\WINDOWS\system32\Cache
    C:\WINDOWS\system32\dao350.dll
    C:\WINDOWS\system32\drivers\tdssserv.sys
    C:\WINDOWS\system32\tdssadw.dll
    C:\WINDOWS\system32\TDSSerrors.log
    C:\WINDOWS\system32\tdssinit.dll
    C:\WINDOWS\system32\tdssl.dll
    C:\WINDOWS\system32\TDSSlog.dll
    C:\WINDOWS\system32\tdssmain.dll
    C:\WINDOWS\system32\tdssserf.dll
    C:\WINDOWS\system32\TDSSserf1.dll
    C:\WINDOWS\system32\tdssservers.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV
    -------\Service_TDSSserv


    ((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
    .

    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Documents and Settings\Colby\Application Data\Malwarebytes
    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-30 12:53 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-30 12:53 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-30 03:08 . 2008-09-30 03:14 <DIR> d-------- C:\fixwareout
    2008-09-29 23:01 . 2008-09-30 02:39 <DIR> d-------- C:\temp\WGWildThings
    2008-09-29 23:01 . 2008-02-05 12:22 2,293,760 --a------ C:\WINDOWS\system32\CADEngine4.ocx
    2008-09-29 23:01 . 2008-02-05 12:50 2,052,096 --a------ C:\WINDOWS\system32\CADEngine3.ocx
    2008-09-29 23:01 . 2002-03-04 12:21 349,968 --a------ C:\WINDOWS\system32\IGThreed40.ocx
    2008-08-28 23:08 . 2008-08-28 23:08 <DIR> d-------- C:\Program Files\PopCap Games
    2008-08-27 23:09 . 2008-08-27 23:09 <DIR> d-------- C:\Documents and Settings\DF3R7221\ASPNET.DF3R7221
    2008-08-24 21:52 . 2008-08-25 18:01 20 --a------ C:\WINDOWS\popcinfot.dat
    2008-08-24 21:52 . 2008-08-24 21:52 0 --a------ C:\WINDOWS\popcreg.dat
    2008-08-15 01:12 . 2008-08-21 18:34 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
    2008-08-15 01:12 . 2008-08-15 01:12 0 --a------ C:\WINDOWS\nsreg.dat
    2008-08-13 15:32 . 2008-08-13 15:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-08-13 15:31 . 2008-08-14 15:00 <DIR> d-------- C:\Documents and Settings\Colby\.housecall6.6
    2008-08-01 15:36 . 2008-08-01 15:36 197,976 -ra------ C:\WINDOWS\system32\cpnprt2.cid

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-30 21:32 --------- d-----w C:\Program Files\TrueAssistant
    2008-09-30 21:18 --------- d-----w C:\Program Files\Parental Filter
    2008-09-30 09:26 90,112 ----a-w C:\WINDOWS\DUMP3633.tmp
    2008-09-30 07:39 --------- d-----w C:\Program Files\Sparkle
    2008-09-30 07:33 --------- d-----w C:\Program Files\Trend Micro
    2008-09-30 07:21 90,112 ----a-w C:\WINDOWS\DUMP31fc.tmp
    2008-09-23 10:13 --------- d-----w C:\Documents and Settings\Colby\Application Data\WeatherBug
    2008-09-23 00:14 --------- dc-h--w C:\Program Files\InstallShield Installation Information
    2008-09-03 01:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-03 00:35 --------- d-----w C:\Documents and Settings\Colby\Application Data\iWin
    2008-09-03 00:34 --------- d-----w C:\Program Files\MSN Games
    2008-08-25 23:17 --------- d-----w C:\Documents and Settings\Colby\Application Data\Azureus
    2008-07-30 16:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\FunGames
    2008-07-25 00:17 101,648 -c--a-w C:\Documents and Settings\Colby\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-06-24 03:33 691,545 ----a-w C:\WINDOWS\unins000.exe
    2003-04-19 11:20 460 ----a-w C:\Program Files\INSTALL.LOG
    2003-02-04 10:45 0 -c--a-w C:\Program Files\log.txt
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Popup Ad Filter"="C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe" [2001-05-21 268288]
    "Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-08-31 1597440]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
    "pccguide.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe" [2003-04-25 639046]
    "PCCClient.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe" [2003-04-25 565248]
    "Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe" [2003-04-25 561222]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 335872]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-02-16 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
    "Logitech Utility"="Logi_MwX.Exe" [2003-03-04 C:\WINDOWS\LOGI_MWX.EXE]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-22 108544]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-03-16 221247]
    Digimax Viewer 1.0.lnk - C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [2003-11-17 331776]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
    Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-06-23 217088]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWinKeys"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
    "vidc.DIV3"= DivXc32.dll
    "vidc.DIV4"= DivXc32f.dll
    "msacm.divxa32"= DivXa32.acm
    "vidc.3IV2"= 3ivxVfWCodec.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 6144]
    R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-03-04 14348]
    S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
    S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 295168]
    S3 DCamUSBSvis;Concord EyeQ DUO Stream Driver;C:\WINDOWS\system32\DRIVERS\svstream.sys [2001-07-13 91480]
    S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-18 99840]
    S3 pcx2nd5;Toshiba PCX2000 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pcx2nd5.sys [2000-12-28 16384]
    S3 pcx2unic;Toshiba PCX2000 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pcx2unic.sys [2000-12-28 59904]
    S3 pohci13F;pohci13F;C:\DOCUME~1\Colby\LOCALS~1\Temp\pohci13F.sys [ ]
    S3 qws2ifsl;qws2ifsl;C:\DOCUME~1\Colby\LOCALS~1\Temp\qws2ifsl.sys [ ]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff37c614-d132-11dc-8dab-0007e9aa7a97}]
    \Shell\AutoRun\command - H:\PMB_Portable.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe
    HKCU-Run-C:\Documents and Settings\Colby\Desktop\BlackBerry_JDE_4.3.0.exe - C:\Documents and Settings\Colby\Desktop\BlackBerry_JDE_4.3.0.exe
    HKCU-Run-ATI Launchpad - (no file)


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Colby\Application Data\Mozilla\Firefox\Profiles\zporlizt.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
    FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
    FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
    FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
    FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-30 16:28:00
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\WINDOWS\KB810217.log:iuryku 66048 bytes executable
    C:\WINDOWS\{00000002-00000000-00000002-00001102-00000002-100A1102}.CDF:exfbcc 66048 bytes executable

    scan completed successfully
    hidden files: 2

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath"="\"\""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\TSC.EXE
    C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\ePrompter\ePrompter.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-30 16:45:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-30 21:45:36

    Pre-Run: 4,449,689,600 bytes free
    Post-Run: 4,426,379,264 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    1883 --- E O F --- 2007-08-30 04:55:37
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    did you set the disable use of winkeys restriction yourself

    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file inside C:\QooBox\ named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]

    then please go to
    c:\qoobox right click the quarantine folder & select send to compressed(zipped)folder

    that makes a zip copy of the quarantine folder which contains new versions of rootkit files we need to examine & send to antivirus companies

    upload that zipped folder at spykiller as well please
     

    Attached Files:

  7. Lyrithe

    Lyrithe Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    8
    Yes I did disable winkeys myself

    There is no such zip file in the folder C:\Qoobox only a bunch of text files with these names:
    Add-Remove Programs.txt
    [email protected]
    ComboFix2.txt
    ComboFix-quarantined-files.txt
    [email protected]_16.41.56.17.dat
    [email protected]_16.41.56.17_B.dat

    I did zip the quarantine folder though and submitted it in thespykiller. The post is located here:
    http://thespykiller.co.uk/index.php...27301e721b0a9ea2&topic=7089.msg28190#msg28190

    New HJT log and combofix logs below:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:51:15 AM, on 10/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\TSC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\CASIO\Photo Loader\Plauto.exe
    C:\Program Files\ePrompter\ePrompter.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.startekconnect.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.63-big/GoogleNav.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://saturn.installshield.com/ispro/701/eval/oci/setup.exe
    O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

    --
    End of file - 9941 bytes


    ComboFix 08-09-30.01 - Colby 2008-10-01 3:01:04.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -5:00]
    Running from: C:\Documents and Settings\Colby\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Colby\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_POHCI13F
    -------\Service_pohci13F
    -------\Service_qws2ifsl


    ((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
    .

    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Documents and Settings\Colby\Application Data\Malwarebytes
    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-30 12:53 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-30 12:53 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-30 03:08 . 2008-09-30 03:14 <DIR> d-------- C:\fixwareout
    2008-09-29 23:01 . 2008-09-30 02:39 <DIR> d-------- C:\temp\WGWildThings
    2008-09-29 23:01 . 2008-02-05 12:22 2,293,760 --a------ C:\WINDOWS\system32\CADEngine4.ocx
    2008-09-29 23:01 . 2008-02-05 12:50 2,052,096 --a------ C:\WINDOWS\system32\CADEngine3.ocx
    2008-09-29 23:01 . 2002-03-04 12:21 349,968 --a------ C:\WINDOWS\system32\IGThreed40.ocx

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-01 08:10 --------- d-----w C:\Program Files\TrueAssistant
    2008-10-01 06:04 --------- d-----w C:\Program Files\PopCap Games
    2008-09-30 21:18 --------- d-----w C:\Program Files\Parental Filter
    2008-09-30 09:26 90,112 ----a-w C:\WINDOWS\DUMP3633.tmp
    2008-09-30 07:39 --------- d-----w C:\Program Files\Sparkle
    2008-09-30 07:33 --------- d-----w C:\Program Files\Trend Micro
    2008-09-30 07:21 90,112 ----a-w C:\WINDOWS\DUMP31fc.tmp
    2008-09-23 10:13 --------- d-----w C:\Documents and Settings\Colby\Application Data\WeatherBug
    2008-09-23 00:14 --------- dc-h--w C:\Program Files\InstallShield Installation Information
    2008-09-03 01:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-03 00:35 --------- d-----w C:\Documents and Settings\Colby\Application Data\iWin
    2008-09-03 00:34 --------- d-----w C:\Program Files\MSN Games
    2008-08-25 23:17 --------- d-----w C:\Documents and Settings\Colby\Application Data\Azureus
    2008-08-21 23:34 --------- d-----w C:\Program Files\Mozilla Firefox(2)
    2008-08-13 20:31 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-07-25 00:17 101,648 -c--a-w C:\Documents and Settings\Colby\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2003-04-19 11:20 460 ----a-w C:\Program Files\INSTALL.LOG
    2003-02-04 10:45 0 -c--a-w C:\Program Files\log.txt
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of C:\temp\WGWildThings ----

    2008-09-29 23:08 3175 --a------ C:\temp\WGWildThings\Patterns.las
    2008-09-29 23:07 2145 --a------ C:\temp\WGWildThings\pocket.las


    ((((((((((((((((((((((((((((( [email protected]_16.41.56.17 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-09-30 21:27:53 208,639 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-10-01 08:12:04 208,646 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Popup Ad Filter"="C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe" [2001-05-21 268288]
    "Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-08-31 1597440]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
    "pccguide.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe" [2003-04-25 639046]
    "PCCClient.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe" [2003-04-25 565248]
    "Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe" [2003-04-25 561222]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 335872]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-02-16 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
    "Logitech Utility"="Logi_MwX.Exe" [2003-03-04 C:\WINDOWS\LOGI_MWX.EXE]

    C:\Documents and Settings\Colby\Start Menu\Programs\Startup\
    ePrompter.lnk - C:\Program Files\ePrompter\ePrompter.exe [2004-04-23 782336]
    Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-02-10 368640]
    TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2006-11-17 540672]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-22 108544]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-03-16 221247]
    Digimax Viewer 1.0.lnk - C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [2003-11-17 331776]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
    Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-06-23 217088]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWinKeys"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
    "vidc.DIV3"= DivXc32.dll
    "vidc.DIV4"= DivXc32f.dll
    "msacm.divxa32"= DivXa32.acm
    "vidc.3IV2"= 3ivxVfWCodec.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 6144]
    R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-03-04 14348]
    S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
    S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 295168]
    S3 DCamUSBSvis;Concord EyeQ DUO Stream Driver;C:\WINDOWS\system32\DRIVERS\svstream.sys [2001-07-13 91480]
    S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-18 99840]
    S3 pcx2nd5;Toshiba PCX2000 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pcx2nd5.sys [2000-12-28 16384]
    S3 pcx2unic;Toshiba PCX2000 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pcx2unic.sys [2000-12-28 59904]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff37c614-d132-11dc-8dab-0007e9aa7a97}]
    \Shell\AutoRun\command - H:\PMB_Portable.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-01 03:10:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\WINDOWS\KB810217.log:iuryku 66048 bytes executable
    C:\WINDOWS\{00000002-00000000-00000002-00001102-00000002-100A1102}.CDF:exfbcc 66048 bytes executable

    scan completed successfully
    hidden files: 2

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath"="\"\""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\TSC.EXE
    C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-01 3:26:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-01 08:26:13
    ComboFix2.txt 2008-09-30 21:46:01

    Pre-Run: 4,357,165,056 bytes free
    Post-Run: 4,353,085,440 bytes free

    172 --- E O F --- 2007-08-30 04:55:37
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    no zip file means the files weren't found

    I made a mistake in previous script & didn't delete the ads streams so please run combofix again using this as the script file

    I am checking the quarantine folder & will let you know if we need top do anything more
     

    Attached Files:

  9. Lyrithe

    Lyrithe Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    8
    HJT log again along with combofix log:




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:22:21 AM, on 10/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\CASIO\Photo Loader\Plauto.exe
    C:\Program Files\ePrompter\ePrompter.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.startekconnect.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.63-big/GoogleNav.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://saturn.installshield.com/ispro/701/eval/oci/setup.exe
    O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

    --
    End of file - 9888 bytes




    ComboFix 08-09-30.01 - Colby 2008-10-01 4:15:50.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -5:00]
    Running from: C:\Documents and Settings\Colby\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Colby\Desktop\CFScript2.txt
    .

    ((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
    .

    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Documents and Settings\Colby\Application Data\Malwarebytes
    2008-09-30 12:53 . 2008-09-30 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-30 12:53 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-30 12:53 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-30 03:08 . 2008-09-30 03:14 <DIR> d-------- C:\fixwareout
    2008-09-29 23:01 . 2008-09-30 02:39 <DIR> d-------- C:\temp\WGWildThings
    2008-09-29 23:01 . 2008-02-05 12:22 2,293,760 --a------ C:\WINDOWS\system32\CADEngine4.ocx
    2008-09-29 23:01 . 2008-02-05 12:50 2,052,096 --a------ C:\WINDOWS\system32\CADEngine3.ocx
    2008-09-29 23:01 . 2002-03-04 12:21 349,968 --a------ C:\WINDOWS\system32\IGThreed40.ocx

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-01 08:10 --------- d-----w C:\Program Files\TrueAssistant
    2008-10-01 06:04 --------- d-----w C:\Program Files\PopCap Games
    2008-09-30 21:18 --------- d-----w C:\Program Files\Parental Filter
    2008-09-30 09:26 90,112 ----a-w C:\WINDOWS\DUMP3633.tmp
    2008-09-30 07:39 --------- d-----w C:\Program Files\Sparkle
    2008-09-30 07:33 --------- d-----w C:\Program Files\Trend Micro
    2008-09-30 07:21 90,112 ----a-w C:\WINDOWS\DUMP31fc.tmp
    2008-09-23 10:13 --------- d-----w C:\Documents and Settings\Colby\Application Data\WeatherBug
    2008-09-23 00:14 --------- dc-h--w C:\Program Files\InstallShield Installation Information
    2008-09-03 01:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-03 00:35 --------- d-----w C:\Documents and Settings\Colby\Application Data\iWin
    2008-09-03 00:34 --------- d-----w C:\Program Files\MSN Games
    2008-08-25 23:17 --------- d-----w C:\Documents and Settings\Colby\Application Data\Azureus
    2008-08-21 23:34 --------- d-----w C:\Program Files\Mozilla Firefox(2)
    2008-08-13 20:31 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-07-25 00:17 101,648 -c--a-w C:\Documents and Settings\Colby\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2003-04-19 11:20 460 ----a-w C:\Program Files\INSTALL.LOG
    2003-02-04 10:45 0 -c--a-w C:\Program Files\log.txt
    .

    ((((((((((((((((((((((((((((( [email protected]_16.41.56.17 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-09-30 21:27:53 208,639 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-10-01 08:44:17 208,639 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Popup Ad Filter"="C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe" [2001-05-21 268288]
    "Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-08-31 1597440]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
    "pccguide.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe" [2003-04-25 639046]
    "PCCClient.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe" [2003-04-25 565248]
    "Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe" [2003-04-25 561222]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 335872]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-02-16 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
    "Logitech Utility"="Logi_MwX.Exe" [2003-03-04 C:\WINDOWS\LOGI_MWX.EXE]

    C:\Documents and Settings\Colby\Start Menu\Programs\Startup\
    ePrompter.lnk - C:\Program Files\ePrompter\ePrompter.exe [2004-04-23 782336]
    Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-02-10 368640]
    TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2006-11-17 540672]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-22 108544]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2008-03-16 221247]
    Digimax Viewer 1.0.lnk - C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [2003-11-17 331776]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
    Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-06-23 217088]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWinKeys"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
    "vidc.DIV3"= DivXc32.dll
    "vidc.DIV4"= DivXc32f.dll
    "msacm.divxa32"= DivXa32.acm
    "vidc.3IV2"= 3ivxVfWCodec.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 6144]
    R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-03-04 14348]
    S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
    S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 295168]
    S3 DCamUSBSvis;Concord EyeQ DUO Stream Driver;C:\WINDOWS\system32\DRIVERS\svstream.sys [2001-07-13 91480]
    S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-18 99840]
    S3 pcx2nd5;Toshiba PCX2000 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pcx2nd5.sys [2000-12-28 16384]
    S3 pcx2unic;Toshiba PCX2000 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pcx2unic.sys [2000-12-28 59904]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff37c614-d132-11dc-8dab-0007e9aa7a97}]
    \Shell\AutoRun\command - H:\PMB_Portable.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-01 04:18:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath"="\"\""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\Program Files\Meaya\Popup Ad Filter\mk.dll
    .
    Completion time: 2008-10-01 4:20:12
    ComboFix-quarantined-files.txt 2008-10-01 09:20:00
    ComboFix2.txt 2008-10-01 08:26:36
    ComboFix3.txt 2008-09-30 21:46:01

    Pre-Run: 4,329,701,376 bytes free
    Post-Run: 4,313,923,584 bytes free

    142 --- E O F --- 2007-08-30 04:55:37
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That looks better

    how are things now

    are there any problems still
     
  11. Lyrithe

    Lyrithe Thread Starter

    Joined:
    Sep 30, 2008
    Messages:
    8
    Everything seems to be working great now. No more redirecting and no more hidden advertisements. Seems to be running a bit faster now too.

    Thanks for your help
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    *Follow these steps to uninstall Combofix and tools used in the removal of malware*
    * Click *START* then *RUN*
    * Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
    [​IMG]


    then
    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


    I urge you to consider purchasing the protection component in Malwarebytes to prevent further infections of this nature
    Open Malwarebytes Antimalware, select the protection tab, press test to see if your system will benefit from it & if it says yes, then you can press the purchase button
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Browser redirecting
  1. Brigham
    Replies:
    1
    Views:
    444
  2. JimHebert
    Replies:
    9
    Views:
    817
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/754733

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice