1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Nasty IE/Firefox browser redirect problem in XP

Discussion in 'Virus & Other Malware Removal' started by kgivens, Jan 11, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. kgivens

    kgivens Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    6
    My son is running XP SP2 (have tried to update to SP3, always fails...that's another story) and had some ugly little bugs littering his machine with pop-up virus infection warnings, full hard drive warnings, etc. I cleaned out all of that cancerous mess with sequential safe-mode scans with Spybot, AdAware, AntiMalwarebytes, and Superantispyware. Now all these scanners report a clean system. However, both IE8 and the current build of Firefox still demonstrate an aggressive redirector which typically takes us to bogus antivirus or search sites. This is despite allegedly "immunizing" the browsers with SpyBot.

    And...the PC is periodically playing random audio clips---sound clips from commercials, TV shows, etc. These sound bites are not from any of our media, as best we can tell.

    One other thing: if I sit and watch Task Manager, something keeps opening iexplorer.exe every couple of minutes, even though the program never actually opens onscreen. We never use Internet Explorer, so it's nothing I'm doing. If I close the iexplorer process, it simply reappears a few moments later. Clearly something wants that pipeline kept open.

    Here are the logs.

    HJT log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:00:12 PM, on 1/11/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\Canon\Memory Card Utility\PIXMA

    iP6000D\PDUiP6000DMon.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Apple\Mobile Device

    Support\AppleMobileDeviceService.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program

    Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Documents and Settings\Tyler\Application

    Data\Dropbox\bin\Dropbox.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Canon\Memory Card Utility\PIXMA

    iP6000D\PDUiP6000DMemCrdMgr.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tyler\My

    Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    www.fatwallet.com
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?

    LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

    http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyServer = http=127.0.0.1:8074
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-

    83D1E48CC825} - (no file)
    O1 - Hosts: ff&rlz=1B3GGGL_en___US355&ie=UTF-8
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-

    7695ECA05670} - C:\Program Files\Yahoo!

    \Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-

    784B7D6BE0B3} - C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-

    5B79BFDFEA60} - C:\Program

    Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-

    206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-

    CF10577473F7} - C:\Program Files\Google\Google

    Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-

    CE66B5AD205D} - C:\Program

    Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74

    -9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-

    EABFE594F69C} - C:\Program Files\Java\jre6

    \lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-

    10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

    0090271D4F88} - C:\Program Files\Yahoo!

    \Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-

    009027A5CD4F} - C:\Program Files\Google\Google

    Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common

    Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering

    Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-

    Link\AirPlus G\AirGCFG.exe
    O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory

    Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
    O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory

    Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-

    Aware\AAWTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32

    \NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32

    \NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

    Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

    Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

    Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d

    locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program

    Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program

    Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

    Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - S-1-5-18 Startup: Dropbox.lnk = C:\Documents and

    Settings\Tyler\Application Data\Dropbox\bin\Dropbox.exe (User

    'SYSTEM')
    O4 - .DEFAULT Startup: Dropbox.lnk = C:\Documents and

    Settings\Tyler\Application Data\Dropbox\bin\Dropbox.exe (User

    'Default user')
    O4 - Startup: Dropbox.lnk = C:\Documents and

    Settings\Tyler\Application Data\Dropbox\bin\Dropbox.exe
    O8 - Extra context menu item: &D&ownload &with BitComet -

    res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet -

    res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet -

    res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Easy-WebPrint Add To Print List -

    res://C:\Program Files\Canon\Easy-

    WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print -

    res://C:\Program Files\Canon\Easy-

    WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview -

    res://C:\Program Files\Canon\Easy-

    WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print -

    res://C:\Program Files\Canon\Easy-

    WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program

    Files\Google\Google

    Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/

    cmsidewiki.html
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-

    9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-

    00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2

    -070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-

    C29359DB100E} - C:\Program

    Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

    C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-

    00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-

    58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy

    Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

    f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088

    -4134-82b7-f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

    00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-

    11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) -

    http://www.worldwinner.com/games/v63/bjattack/bja.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

    Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clie

    nt/wuweb_site.cab?1157493735125
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch

    Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud

    Control) -

    http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7329E533-8CEC-4A5D-BE0B-

    4EEBC64BC75B}: NameServer = 208.67.222.222,208.67.220.220
    O20 - AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program

    Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-

    11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon -

    {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32

    \browseui.dll
    O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware)

    - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-

    Malware\a2service.exe
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH

    - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Acer Media Server - Acer Inc. - C:\Program

    Files\Acer\Acer eConsole\MediaServerService.exe
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks

    Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC -

    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

    Files\Common Files\Apple\Mobile Device

    Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

    C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32

    \ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program

    Files\Bonjour\mDNSResponder.exe
    O23 - Service: FlipShare Service - Unknown owner - C:\Program

    Files\Flip Video\FlipShare\FlipShareService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program

    Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google

    Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google -

    C:\Program Files\Google\Common\Google

    Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

    Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program

    Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

    Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Canon PIXMA iP6000D Memory Card Manager

    (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory

    Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program

    Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program

    Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic

    Solutions - C:\Program Files\Common Files\Roxio Shared\9.0

    \SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program

    Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic

    Solutions - C:\Program Files\Common Files\Roxio Shared\9.0

    \SharedCOM\RoxWatch9.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -

    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

    America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 13392 bytes


    Here's the DDS text log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Tyler at 20:10:12.34 on Tue 01/11/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.963 [GMT -5:00]

    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Emsisoft Anti-Malware *Disabled/Outdated* {0F8591BB-342B-4493-91C3-4E948ED21255}

    ============== Running Processes ===============

    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Documents and Settings\Tyler\Application Data\Dropbox\bin\Dropbox.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Tyler\My Documents\Downloads\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tyler\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = www.fatwallet.com
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.7.4.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
    mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
    mRun: [PDUiP6000DMon] c:\program files\canon\memory card utility\pixma ip6000d\PDUiP6000DMon.exe
    mRun: [PDUiP6000DTskbr] c:\program files\canon\memory card utility\pixma ip6000d\PDUiP6000DTskbr.exe
    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\tyler\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\tyler\application data\dropbox\bin\Dropbox.exe
    IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - {E7A829CC-671F-4C3D-B590-8C0AEA72E6B2} - c:\program files\bitcomet\tools\BitCometBHO_1.1.7.4.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\progra~1\netdog\netd.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157493735125
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    TCP: {7329E533-8CEC-4A5D-BE0B-4EEBC64BC75B} = 208.67.222.222,208.67.220.220
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\tyler\applic~1\mozilla\firefox\profiles\nd0mn2xy.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - My Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.fatwallet.com/forums/hot-deals/?start=0
    FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUfox000&ptb=chUNmWpCDydg_9eS.FumaA&psa=&ind=2010110118&ptnrS=ZUfox000&si=&st=kwd&n=77cfd8a6&searchfor=
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\nd0mn2xy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\nd0mn2xy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - plugin: c:\program files\funwebproducts\installr\2.bin\NPFUNWEB.DLL
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-3 64288]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-18 28544]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-1-11 21464]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-1-9 2850296]
    R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-6-18 1872320]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1402272]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-1-11 69976]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
    R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-1-9 72808]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
    S0 eqlmyqwj;eqlmyqwj;c:\windows\system32\drivers\pajwfb.sys --> c:\windows\system32\drivers\pajwfb.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-11 135664]
    S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [2003-11-1 17920]
    S3 cpuz130;cpuz130;\??\c:\docume~1\tyler\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\tyler\locals~1\temp\cpuz130\cpuz_x32.sys [?]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-6-20 8704]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-6-20 3072]
    S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-28 10664]

    =============== Created Last 30 ================

    2011-01-11 23:36:21 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-01-11 23:36:21 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-01-11 04:05:41 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-01-11 03:50:33 -------- d-----w- c:\docume~1\tyler\locals~1\applic~1\Sunbelt Software
    2011-01-11 03:43:04 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2011-01-11 03:24:02 -------- d-----w- c:\docume~1\tyler\applic~1\Dropbox
    2011-01-11 02:44:43 -------- dc-h--w- c:\windows\ie8
    2011-01-10 05:36:07 -------- d-----w- c:\docume~1\tyler\applic~1\SUPERAntiSpyware.com
    2011-01-10 05:36:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2011-01-10 05:35:58 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-10 02:23:07 -------- d-----w- c:\program files\Emsisoft Anti-Malware
    2011-01-10 00:41:19 -------- d-----w- c:\program files\CCleaner
    2011-01-08 14:30:18 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-01-08 14:30:17 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-01-08 04:09:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-08 04:09:37 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-01-08 03:55:43 -------- d-sh--w- c:\documents and settings\tyler\PrivacIE
    2011-01-08 03:52:59 -------- d-sh--w- c:\documents and settings\tyler\IETldCache
    2011-01-08 02:55:40 -------- d-----w- c:\windows\ie8updates
    2011-01-08 02:55:22 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-01-08 02:55:22 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-01-08 02:55:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-01-02 04:17:18 0 ----a-w- c:\windows\system32\drivers\sst7A2.tmp
    2011-01-02 04:16:02 52736 ----a-w- c:\windows\system32\drivers\sst796.sys
    2011-01-02 04:16:02 0 ----a-w- c:\windows\system32\drivers\sst796.tmp
    2010-12-30 01:09:06 -------- d-----w- c:\program files\iTunes
    2010-12-30 01:09:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-12-30 01:06:51 -------- d-----w- c:\program files\Bonjour

    ==================== Find3M ====================

    2010-12-06 14:07:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll

    ============= FINISH: 20:19:21.84 ===============


    Here's the GMER ark.txt output:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-11 20:23:44
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3160812AS rev.3.AAE
    Running: xnrrwn9q.exe; Driver: C:\DOCUME~1\Tyler\LOCALS~1\Temp\fgroqfoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:124] 8A9CE53C
    Thread System [4:128] 8A9D052D

    ---- EOF - GMER 1.0.15 ----

    And, I've attached the other DDS Attach file log.

    Many thanks to everyone in advance----
     

    Attached Files:

  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    • Double click on ComboFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
     
  3. kgivens

    kgivens Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    6
    Hi CatByte, and thanks for volunteering your help.

    Unfortunately ComboFix utterly failed. No change in browser redirecting/phantom audio/multiple instances of iexplorer being loaded in the background. Per your instructions, I've attached the log.

    This is one f-ing tough bug.
     

    Attached Files:

  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi

    we don't expect to get it with just one run, there are usually several rounds to go before it it entirely eliminated, I'll let you know when it is clean.

    Please do the following:


    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)


    NEXT

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
    • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Click Start > Run type Notepad click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

    Code:
    http://forums.techguy.org/7768269-post3.html
    
    Collect::
    c:\windows\system32\drivers\pajwfb.sys 
    
    Driver::
    eqlmyqwj
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    
    FireFox::
    FF - ProfilePath - c:\documents and settings\Tyler\Application Data\Mozilla\Firefox\Profiles\nd0mn2xy.default\
    FF - prefs.js: browser.search.selectedEngine - My Web Search
    FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUfox000&ptb=chUNmWpCDydg_9eS.FumaA&psa=&ind=2010110118&ptnrS=ZUfox000&si=&st=kwd&n=77cfd8a6&searchfor=
    
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"


    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    [​IMG]
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you.
    • Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
     
  5. kgivens

    kgivens Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    6
    Thanks CatByte. Executed above steps. Here are the logs from TDSSKiller and the patched ComboFix runs:

    TDSSKiller log:

    2011/01/15 21:43:48.0546 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
    2011/01/15 21:43:48.0546 ================================================================================
    2011/01/15 21:43:48.0546 SystemInfo:
    2011/01/15 21:43:48.0546
    2011/01/15 21:43:48.0546 OS Version: 5.1.2600 ServicePack: 2.0
    2011/01/15 21:43:48.0546 Product type: Workstation
    2011/01/15 21:43:48.0546 ComputerName: ACER-55C1D4102C
    2011/01/15 21:43:48.0546 UserName: Tyler
    2011/01/15 21:43:48.0546 Windows directory: C:\WINDOWS
    2011/01/15 21:43:48.0546 System windows directory: C:\WINDOWS
    2011/01/15 21:43:48.0546 Processor architecture: Intel x86
    2011/01/15 21:43:48.0546 Number of processors: 1
    2011/01/15 21:43:48.0546 Page size: 0x1000
    2011/01/15 21:43:48.0546 Boot type: Normal boot
    2011/01/15 21:43:48.0546 ================================================================================
    2011/01/15 21:43:49.0031 Initialize success
    2011/01/15 21:43:53.0796 ================================================================================
    2011/01/15 21:43:53.0796 Scan started
    2011/01/15 21:43:53.0796 Mode: Manual;
    2011/01/15 21:43:53.0796 ================================================================================
    2011/01/15 21:43:55.0109 a2acc (2d1e1a70041319338035c3df51bfd200) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
    2011/01/15 21:43:55.0406 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/15 21:43:55.0468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/15 21:43:55.0640 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/15 21:43:55.0718 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
    2011/01/15 21:43:55.0796 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/15 21:43:55.0921 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2011/01/15 21:43:56.0359 ALCXWDM (93f93a8e3e14cbbf1ce9a5af1a70c095) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/01/15 21:43:56.0812 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2011/01/15 21:43:56.0906 ANIO (4a5c7eaefa4c43d139c402c6da5bfd2c) C:\WINDOWS\system32\ANIO.SYS
    2011/01/15 21:43:57.0062 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/15 21:43:57.0187 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
    2011/01/15 21:43:57.0265 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/15 21:43:57.0296 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/15 21:43:57.0453 ati2mtag (8763ede3e0cd40f5c3450571ac57f205) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/01/15 21:43:57.0593 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/15 21:43:57.0640 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/15 21:43:57.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/15 21:43:57.0796 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/15 21:43:57.0859 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/15 21:43:57.0890 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/15 21:43:57.0921 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/15 21:43:57.0953 CEUSBAUD (42291a123cad3914ead8d73169e13661) C:\WINDOWS\system32\Drivers\CEUSBAUD.sys
    2011/01/15 21:43:58.0234 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/15 21:43:58.0296 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/15 21:43:58.0359 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/15 21:43:58.0375 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/15 21:43:58.0437 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/15 21:43:58.0484 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/15 21:43:58.0515 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
    2011/01/15 21:43:58.0562 epmntdrv (57cc1bf06c159dfbb989f5783c0e6a50) C:\WINDOWS\system32\epmntdrv.sys
    2011/01/15 21:43:58.0625 EuGdiDrv (5f779f5edab787f2d090c71a9051f365) C:\WINDOWS\system32\EuGdiDrv.sys
    2011/01/15 21:43:58.0687 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/15 21:43:58.0734 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/01/15 21:43:58.0765 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/15 21:43:58.0796 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/01/15 21:43:58.0812 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/01/15 21:43:58.0890 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/15 21:43:58.0906 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/15 21:43:58.0953 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/01/15 21:43:59.0000 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/15 21:43:59.0046 hamachi_oem (c25c70fd4d49391091d9eb8c747f19e6) C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
    2011/01/15 21:43:59.0093 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/01/15 21:43:59.0171 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/15 21:43:59.0250 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/15 21:43:59.0328 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/15 21:43:59.0453 int15.sys (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys
    2011/01/15 21:43:59.0500 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/01/15 21:43:59.0546 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/15 21:43:59.0578 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/15 21:43:59.0625 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/15 21:43:59.0656 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/15 21:43:59.0703 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
    2011/01/15 21:43:59.0750 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/15 21:43:59.0796 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
    2011/01/15 21:43:59.0843 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/15 21:43:59.0859 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/15 21:43:59.0890 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/01/15 21:43:59.0921 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/15 21:44:00.0000 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/15 21:44:00.0062 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
    2011/01/15 21:44:00.0156 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/15 21:44:00.0187 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/15 21:44:00.0203 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/01/15 21:44:00.0234 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/15 21:44:00.0265 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/01/15 21:44:00.0296 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/15 21:44:00.0328 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/15 21:44:00.0375 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/15 21:44:00.0453 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/15 21:44:00.0484 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/15 21:44:00.0515 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/15 21:44:00.0546 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/15 21:44:00.0593 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/15 21:44:00.0625 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/15 21:44:00.0656 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/15 21:44:00.0718 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/15 21:44:00.0750 Ndisuio (8d3ce6b579cde8d37acc690b67dc2106) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/15 21:44:00.0781 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/15 21:44:00.0812 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/15 21:44:00.0828 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/15 21:44:00.0875 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/15 21:44:00.0921 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/15 21:44:00.0953 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/15 21:44:00.0968 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/15 21:44:01.0015 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
    2011/01/15 21:44:01.0046 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/15 21:44:01.0343 nv (bf506d232c5e6f2dae80f5c11b45c60e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/01/15 21:44:02.0953 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2011/01/15 21:44:03.0359 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2011/01/15 21:44:03.0531 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/15 21:44:03.0593 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/15 21:44:03.0640 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/15 21:44:03.0687 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/01/15 21:44:03.0718 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/15 21:44:03.0765 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/15 21:44:03.0796 pavboot (210a628a0d7b3f45257850efbff27538) C:\WINDOWS\system32\drivers\pavboot.sys
    2011/01/15 21:44:03.0828 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/15 21:44:03.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/15 21:44:03.0937 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/15 21:44:04.0109 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/15 21:44:04.0140 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/01/15 21:44:04.0171 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/15 21:44:04.0187 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/15 21:44:04.0218 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/15 21:44:04.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/15 21:44:04.0359 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2011/01/15 21:44:04.0375 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/15 21:44:04.0390 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/15 21:44:04.0421 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/15 21:44:04.0437 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/15 21:44:04.0468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/15 21:44:04.0515 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/15 21:44:04.0562 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/15 21:44:04.0625 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
    2011/01/15 21:44:04.0640 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    2011/01/15 21:44:04.0671 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    2011/01/15 21:44:04.0750 rt2500usb (9621807bf414bca55b3ef3c4591a2f20) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
    2011/01/15 21:44:04.0859 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/01/15 21:44:04.0906 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/01/15 21:44:05.0031 sbaphd (8fe075898df6b206d0a5cf0feb581b5e) C:\WINDOWS\system32\drivers\sbaphd.sys
    2011/01/15 21:44:05.0093 sbapifs (29658f5353d5b73ca514a784e6aac54e) C:\WINDOWS\system32\drivers\sbapifs.sys
    2011/01/15 21:44:05.0171 SBRE (c1ae5d1f53285d79a0b73a62af20734f) C:\WINDOWS\system32\drivers\SBREdrv.sys
    2011/01/15 21:44:05.0265 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/15 21:44:05.0328 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/01/15 21:44:05.0390 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/01/15 21:44:05.0484 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/15 21:44:05.0578 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/15 21:44:05.0625 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/15 21:44:05.0687 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/15 21:44:05.0750 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/15 21:44:05.0765 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/15 21:44:05.0875 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/15 21:44:05.0921 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/15 21:44:05.0953 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/15 21:44:05.0968 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/15 21:44:06.0000 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/15 21:44:06.0062 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
    2011/01/15 21:44:06.0093 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/15 21:44:06.0140 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/15 21:44:06.0187 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/01/15 21:44:06.0218 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/01/15 21:44:06.0265 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/15 21:44:06.0296 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/15 21:44:06.0312 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/15 21:44:06.0343 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/01/15 21:44:06.0375 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/15 21:44:06.0437 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/15 21:44:06.0468 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/15 21:44:06.0515 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/15 21:44:06.0562 VolSnap (d196081aebd54024ea7d76f00838605d) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/15 21:44:06.0562 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: d196081aebd54024ea7d76f00838605d, Fake md5: ee4660083deba849ff6c485d944b379b
    2011/01/15 21:44:06.0578 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/01/15 21:44:06.0625 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/15 21:44:06.0656 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
    2011/01/15 21:44:06.0703 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
    2011/01/15 21:44:06.0765 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/15 21:44:06.0843 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/01/15 21:44:06.0906 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/15 21:44:06.0937 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/15 21:44:07.0156 ================================================================================
    2011/01/15 21:44:07.0156 Scan finished
    2011/01/15 21:44:07.0156 ================================================================================
    2011/01/15 21:44:07.0171 Detected object count: 1
    2011/01/15 21:45:02.0640 VolSnap (d196081aebd54024ea7d76f00838605d) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/15 21:45:02.0640 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: d196081aebd54024ea7d76f00838605d, Fake md5: ee4660083deba849ff6c485d944b379b
    2011/01/15 21:45:03.0234 Backup copy found, using it..
    2011/01/15 21:45:03.0312 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
    2011/01/15 21:45:03.0312 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
    2011/01/15 21:45:49.0421 Deinitialize success


    And from ComboFix:

    ComboFix 11-01-14.01 - Tyler 01/15/2011 22:00:50.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1420 [GMT -5:00]
    Running from: c:\documents and settings\Tyler\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Tyler\Desktop\CFScript.txt
    AV: Emsisoft Anti-Malware *Disabled/Outdated* {0F8591BB-342B-4493-91C3-4E948ED21255}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_eqlmyqwj


    ((((((((((((((((((((((((( Files Created from 2010-12-16 to 2011-01-16 )))))))))))))))))))))))))))))))
    .

    2011-01-14 06:18 . 2011-01-14 09:26 -------- d-----w- C:\7715a56d171b7e0d6c344a6778f78c4c
    2011-01-14 02:22 . 2011-01-14 02:22 -------- d-----w- c:\documents and settings\Tyler\Application Data\AVG10
    2011-01-14 02:20 . 2011-01-14 02:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-01-14 02:18 . 2011-01-16 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-01-14 02:18 . 2011-01-14 02:18 -------- d-----w- c:\program files\AVG
    2011-01-14 02:12 . 2011-01-14 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-01-12 04:05 . 2011-01-12 04:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-11 23:36 . 2010-12-03 09:05 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-01-11 23:36 . 2010-12-03 09:05 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-01-11 04:05 . 2011-01-11 04:05 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-01-11 03:50 . 2011-01-11 03:50 -------- d-----w- c:\documents and settings\Tyler\Local Settings\Application Data\Sunbelt Software
    2011-01-11 03:43 . 2011-01-11 03:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2011-01-11 03:24 . 2011-01-16 02:48 -------- d-----w- c:\documents and settings\Tyler\Application Data\Dropbox
    2011-01-11 02:44 . 2011-01-11 02:45 -------- dc-h--w- c:\windows\ie8
    2011-01-10 05:36 . 2011-01-10 05:36 -------- d-----w- c:\documents and settings\Tyler\Application Data\SUPERAntiSpyware.com
    2011-01-10 05:36 . 2011-01-10 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-01-10 05:35 . 2011-01-10 05:36 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-10 02:23 . 2011-01-10 04:27 -------- d-----w- c:\program files\Emsisoft Anti-Malware
    2011-01-10 00:41 . 2011-01-10 00:41 -------- d-----w- c:\program files\CCleaner
    2011-01-09 02:22 . 2011-01-09 02:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-01-08 14:30 . 2011-01-08 14:30 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2011-01-08 14:30 . 2011-01-08 14:30 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2011-01-08 05:34 . 2011-01-08 05:36 -------- d-----w- c:\documents and settings\Administrator
    2011-01-08 04:09 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-08 04:09 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-08 03:57 . 2011-01-08 03:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-01-08 03:55 . 2011-01-08 03:55 -------- d-sh--w- c:\documents and settings\Tyler\PrivacIE
    2011-01-08 03:52 . 2011-01-08 03:52 -------- d-sh--w- c:\documents and settings\Tyler\IETldCache
    2011-01-08 02:55 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-01-08 02:55 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-01-08 02:55 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-01-02 04:17 . 2011-01-02 04:17 0 ----a-w- c:\windows\system32\drivers\sst7A2.tmp
    2010-12-30 01:09 . 2010-12-30 01:09 -------- d-----w- c:\program files\iTunes
    2010-12-30 01:09 . 2010-12-30 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-12-30 01:07 . 2010-12-30 01:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2010-12-30 01:06 . 2010-12-30 01:06 -------- d-----w- c:\program files\Bonjour

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-16 02:47 . 2004-08-04 09:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2010-12-20 23:09 . 2009-06-19 01:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2009-06-19 01:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-06 14:07 . 2009-06-04 01:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-12-03 09:05 . 2009-06-03 23:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-12 21:34 . 2008-06-14 00:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2008-03-03 02:35 . 2008-03-03 02:35 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
    .

    ((((((((((((((((((((((((((((( [email protected]_04.58.25 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-16 03:08 . 2011-01-16 03:08 16384 c:\windows\temp\Perflib_Perfdata_10c.dat
    - 2006-09-05 18:46 . 2011-01-15 04:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2006-09-05 18:46 . 2011-01-16 02:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2006-09-05 18:46 . 2011-01-15 04:55 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2006-09-05 18:46 . 2011-01-16 02:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2011-01-16 02:56 . 2011-01-16 02:56 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    + 2011-01-16 02:56 . 2011-01-16 02:56 311248 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.dll
    + 2011-01-08 03:57 . 2011-01-16 02:27 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    - 2011-01-08 03:57 . 2011-01-15 04:55 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Tyler\Application Data\Dropbox\bin\DropboxExt.14.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Tyler\Application Data\Dropbox\bin\DropboxExt.14.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Tyler\Application Data\Dropbox\bin\DropboxExt.14.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Tyler\Application Data\Dropbox\bin\DropboxExt.14.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2005-09-22 90112]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 397312]
    "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-29 1245184]
    "PDUiP6000DMon"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 57344]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-12-22 936712]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
    "nwiz"="nwiz.exe" [2009-06-10 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    c:\documents and settings\Tyler\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Tyler\Application Data\Dropbox\bin\Dropbox.exe [2010-12-16 23343848]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
    backup=c:\windows\pss\AOL Companion.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Tyler^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\documents and settings\Tyler\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Tyler^Start Menu^Programs^Startup^Registration .LNK]
    path=c:\documents and settings\Tyler\Start Menu\Programs\Startup\Registration .LNK
    backup=c:\windows\pss\Registration .LNKStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
    Alaunch [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2004-06-29 13:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
    2004-12-16 21:49 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    2006-10-23 12:50 71216 ------r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
    2006-01-19 13:46 110592 ----a-w- c:\program files\Acer\Acer eMode Management\AspireService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2008-03-03 02:35 1838592 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2007-10-08 21:50 41824 ----a-w- c:\program files\Common Files\AOL\1162930266\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
    2007-03-05 17:57 1103480 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 09:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
    2005-09-21 17:48 425984 ----a-w- c:\program files\Acer\Acer eConsole\MediaSync.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 12:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 09:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
    2005-05-11 22:15 45056 ----a-w- c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2009-06-10 12:29 1657376 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2004-08-04 09:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2004-08-04 09:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
    2007-05-02 06:08 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-05-07 20:54 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-10-23 21:06 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2008-06-08 16:24 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-05-04 18:20 1238352 ----a-w- c:\program files\Steam\steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2007-06-14 02:02 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1162930266\\EE\\aolsoftware.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
    "c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
    "c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
    "c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
    "c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Steam\\steamapps\\common\\bioshock demo\\Builds\\Release\\Bioshock.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\company of heroes sp demo\\RelicCOH.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\flatout demo\\FlatOutDemo.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\painkiller demo\\Bin\\PainGame.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\hexen ii demo\\glh2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\infernal demo\\game\\game.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Documents and Settings\\Tyler\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "15413:TCP"= 15413:TCP:BitComet 15413 TCP
    "15413:UDP"= 15413:UDP:BitComet 15413 UDP

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/3/2009 6:17 PM 64288]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/18/2009 12:46 AM 28544]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/11/2011 6:36 PM 21464]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [1/10/2011 11:05 PM 98392]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [1/9/2011 9:23 PM 2850296]
    R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [6/18/2009 9:01 PM 1872320]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 4:05 AM 1402272]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/11/2011 6:36 PM 69976]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 9:18 PM 24652]
    R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [1/9/2011 9:23 PM 72808]
    S?2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/11/2010 8:54 AM 135664]
    S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [11/1/2003 3:19 PM 17920]
    S3 cpuz130;cpuz130;\??\c:\docume~1\Tyler\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Tyler\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [6/20/2009 2:17 PM 8704]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [6/20/2009 2:17 PM 3072]
    S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/28/2006 10:54 PM 10664]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:04]

    2011-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:04]

    2011-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:04]

    2011-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:04]

    2011-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

    2011-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-11 13:54]

    2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-11 13:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = www.fatwallet.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    LSP: c:\progra~1\NetDog\netd.dll
    TCP: {7329E533-8CEC-4A5D-BE0B-4EEBC64BC75B} = 208.67.222.222,208.67.220.220
    FF - ProfilePath - c:\documents and settings\Tyler\Application Data\Mozilla\Firefox\Profiles\nd0mn2xy.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.fatwallet.com/forums/hot-deals/?start=0
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-klmdb.sys



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-15 22:11
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2989949686-3995347247-3017399762-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:5f,cd,92,7b,66,ed,58,c4,b4,03,61,39,05,d2,80,e1,ab,dc,59,ee,2f,e6,65,
    23,3d,77,c3,8c,23,68,68,6f,a5,6d,54,0c,ab,25,85,ce,0f,84,c4,ab,15,26,19,81,\
    "??"=hex:ec,7f,62,96,57,2c,d6,08,cc,a5,1f,55,b4,c4,7c,48

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(864)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(3868)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Tyler\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Acer\Acer eConsole\MediaServerService.exe
    c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    c:\progra~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Flip Video\FlipShare\FlipShareService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\SOUNDMAN.EXE
    c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
    c:\progra~1\MI3AA1~1\rapimgr.exe
    c:\windows\wanmpsvc.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-15 22:13:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-16 03:13
    ComboFix2.txt 2011-01-15 06:40
    ComboFix3.txt 2011-01-15 05:17

    Pre-Run: 53,245,421,568 bytes free
    Post-Run: 53,239,810,560 bytes free

    - - End Of File - - D78A587D1ACDC1B87E84DFCB9858DC9C


    Maybe things are looking up! I'm not seeing the uninvited iexplorer.exe instances running in Task Manager anymore....
     
  6. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi

    Please do the following:

    • Please open your MalwareBytes AntiMalware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT


    Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activeX control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
    • Include the contents of this report in your next reply.
    • Press the BACK button.
    • Press Finish
     
  7. kgivens

    kgivens Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    6
    Hello again CatByte. MalwareBytes came up clean, but the Eset scan found some junk:

    MalwareBytes log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5531
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702
    1/16/2011 9:15:40 AM
    mbam-log-2011-01-16 (09-15-40).txt
    Scan type: Quick scan
    Objects scanned: 155348
    Time elapsed: 3 minute(s), 47 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)


    ESET log:

    C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan
    C:\Documents and Settings\Tyler\Application Data\Sun\Java\Deployment\cache\6.0\20\3a4595d4-62a41269 a variant of Java/TrojanDownloader.OpenStream.NAY trojan
    C:\Documents and Settings\Tyler\Application Data\Sun\Java\Deployment\cache\6.0\51\3f722c73-6e56686c multiple threats
    C:\Documents and Settings\Tyler\Application Data\Sun\Java\Deployment\cache\6.0\59\56be887b-5938972f multiple threats
    C:\WINDOWS\Installer\274bfaa.msi a variant of Win32/AdInstaller application


    As always, a huge thanks for your help---
     
  8. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi

    Please do the following:

    Visit ADOBEand download the latest version of Acrobat Reader (version X)
    Having the latest updates ensures there are no security vulnerabilities in your system.


    NEXT

    Go to Start > Control Panel > Add/Remove programs

    a list of installed programs will populate.

    scroll down and locate the following programs > select REMOVE

    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 5
    Java(TM) 6 Update 5


    Leave Java(TM) 6 Update 23 in place as it is the current version.


    NEXT


    Click Start > Control Panel.
    Double-click the Java icon in the control panel.
    The Java Control Panel appears.
    Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.

    There are three options on this window to clear the cache.

    1. Delete Files
    2. View Applications
    3. View Applets


    Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    Click OK on Temporary Files Settings window.


    NEXT



    Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues.
     
  9. kgivens

    kgivens Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    6
    Thanks CatByte. Followed all of those steps.

    Just want to mention that Java Control panel options differed from what you described---at least on my SP2 machine, there were no "View Applications/View Applets" options as you described. Nonetheless I was able to go to the "Delete Files" window and complete the deletion process.

    Now, my machine appears to be running flawlessly. No more redirects/phantom audio/unexplained instances of iexplorer. Here's the DDS.txt log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Tyler at 13:42:52.50 on Sun 01/16/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1396 [GMT -5:00]

    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Emsisoft Anti-Malware *Disabled/Outdated* {0F8591BB-342B-4493-91C3-4E948ED21255}

    ============== Running Processes ===============

    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Documents and Settings\Tyler\Application Data\Dropbox\bin\Dropbox.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Tyler\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = www.fatwallet.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: H - No File
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.7.4.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
    mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
    mRun: [PDUiP6000DMon] c:\program files\canon\memory card utility\pixma ip6000d\PDUiP6000DMon.exe
    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    StartupFolder: c:\docume~1\tyler\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\tyler\application data\dropbox\bin\Dropbox.exe
    IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - {E7A829CC-671F-4C3D-B590-8C0AEA72E6B2} - c:\program files\bitcomet\tools\BitCometBHO_1.1.7.4.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\progra~1\netdog\netd.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157493735125
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {7329E533-8CEC-4A5D-BE0B-4EEBC64BC75B} = 208.67.222.222,208.67.220.220
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\tyler\applic~1\mozilla\firefox\profiles\nd0mn2xy.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.fatwallet.com/forums/hot-deals/?start=0
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\nd0mn2xy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\nd0mn2xy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-3 64288]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-18 28544]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-1-11 21464]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-1-10 98392]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-1-9 2850296]
    R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-6-18 1872320]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-1-11 69976]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
    R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-1-9 72808]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-11 135664]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1402272]
    S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [2003-11-1 17920]
    S3 cpuz130;cpuz130;\??\c:\docume~1\tyler\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\tyler\locals~1\temp\cpuz130\cpuz_x32.sys [?]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-6-20 8704]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-6-20 3072]
    S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-28 10664]

    =============== Created Last 30 ================

    2011-01-16 14:20:43 -------- d-----w- c:\program files\ESET
    2011-01-16 03:00:00 -------- d-----w- C:\ComboFix
    2011-01-15 04:22:57 -------- d-sha-r- C:\cmdcons
    2011-01-15 04:11:54 89088 ----a-w- c:\windows\MBR.exe
    2011-01-15 04:11:53 98816 ----a-w- c:\windows\sed.exe
    2011-01-15 04:11:53 256512 ----a-w- c:\windows\PEV.exe
    2011-01-15 04:11:53 161792 ----a-w- c:\windows\SWREG.exe
    2011-01-14 06:18:26 -------- d-----w- C:\7715a56d171b7e0d6c344a6778f78c4c
    2011-01-14 02:22:31 -------- d-----w- c:\docume~1\tyler\applic~1\AVG10
    2011-01-14 02:20:27 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-01-14 02:18:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2011-01-14 02:18:06 -------- d-----w- c:\program files\AVG
    2011-01-14 02:12:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2011-01-11 23:36:21 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-01-11 23:36:21 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-01-11 04:05:41 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-01-11 03:50:33 -------- d-----w- c:\docume~1\tyler\locals~1\applic~1\Sunbelt Software
    2011-01-11 03:43:04 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2011-01-11 03:24:02 -------- d-----w- c:\docume~1\tyler\applic~1\Dropbox
    2011-01-11 02:44:43 -------- dc-h--w- c:\windows\ie8
    2011-01-10 05:36:07 -------- d-----w- c:\docume~1\tyler\applic~1\SUPERAntiSpyware.com
    2011-01-10 05:36:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2011-01-10 05:35:58 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-10 02:23:07 -------- d-----w- c:\program files\Emsisoft Anti-Malware
    2011-01-10 00:41:19 -------- d-----w- c:\program files\CCleaner
    2011-01-08 14:30:18 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-01-08 14:30:17 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-01-08 04:09:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-08 04:09:37 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-01-08 03:55:43 -------- d-sh--w- c:\documents and settings\tyler\PrivacIE
    2011-01-08 03:52:59 -------- d-sh--w- c:\documents and settings\tyler\IETldCache
    2011-01-08 02:55:40 -------- d-----w- c:\windows\ie8updates
    2011-01-08 02:55:22 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-01-08 02:55:22 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-01-08 02:55:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-01-02 04:17:18 0 ----a-w- c:\windows\system32\drivers\sst7A2.tmp
    2010-12-30 01:09:06 -------- d-----w- c:\program files\iTunes
    2010-12-30 01:09:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-12-30 01:06:51 -------- d-----w- c:\program files\Bonjour

    ==================== Find3M ====================

    2010-12-06 14:07:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll

    ============= FINISH: 13:43:14.01 ===============

    Thanks again.
     
  10. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Looks good,

    we just have some housekeeping to do now.

    Please do the following:

    You can delete the DDS and GMER logs and programs from your desktop.


    NEXT


    Follow these steps to uninstall Combofix

    • Make sure your security programs are totally disabled.
    • Click START then RUN
    • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

    [​IMG]


    If there are any logs/tools remaining on your desktop > right click and delete them.


    NEXT


    Below I have included a number of recommendations for how to protect your computer against malware infections.

    • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
      Strong passwords: How to create and use them
      Then consider a password keeper, to keep all your passwords safe.

    • Keep Windows updated by regularly checking their website at :
      http://windowsupdate.microsoft.com/
      This will ensure your computer has always the latest security updates available installed on your computer.

    • Make Internet Explorer more secure
      • Click Start > Run
      • Type Inetcpl.cpl & click OK
      • Click on the Security tab
      • Click Reset all zones to default level
      • Make sure the Internet Zone is selected & Click Custom level
      • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
      • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    • Download TFC to your desktop
      • Close any open windows.
      • Double click the TFC icon to run the program
      • TFC will close all open programs itself in order to run,
      • Click the Start button to begin the process.
      • Allow TFC to run uninterrupted.
      • The program should not take long to finish it's job
      • Once its finished it should automatically reboot your machine,
      • if it doesn't, manually reboot to ensure a complete clean
      It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
      • Green to go
      • Yellow for caution
      • Red to stop
      WOT has an addon available for both Firefox and IE

    • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
      PC Safety and Security--What Do I Need?.


    **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


    Should you wish to contribute to my ongoing fight against malware, donations are being accepted >>Here<<


    Thank you for your patience, and performing all of the procedures requested.

    Please respond one last time so we can consider the thread resolved and close it, thank-you.
     
  11. kgivens

    kgivens Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    6
    Big thanks, CatByte. Happy to support your efforts in the fight against malware, injustice, etc.

    Case closed!
     
  12. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    you are welcome, and thank-you

    stay safe

    ~CB
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/974131

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice