Computer Hope

Software => Computer viruses and spyware => Topic started by: danldo on May 06, 2010, 08:37:42 PM

Title: browser hijack
Post by: danldo on May 06, 2010, 08:37:42 PM

I have a computer with XP Pro SP 3 with a 2.0 Ghz processor and 2 gig ram. I am runn IE7. I seem to have a browser hijacker that I can get rid of. I have scanned with malwarebytes and nothing. I have scanned with my antivirus and nothing. Nothing seem to find it or get rid of it. My home page comes up but then when I search and click on a link I watch the bar and it says redirect and then it goes to another search engine.
Here is my Hijackthis log.
Any help would be greatley appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:14 PM, on 5/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\eAcceleration\Framework\eac_productsvc .exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\TradeService\TRA-SER\Database\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TradeService\TRA-SER\Admin\TSService.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\eAcceleration\Framework\eac_svc.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKUS\S-1-5-21-606747145-343818398-839522115-1009\..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User 'TSServiceUser')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178545326204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CA127633-F57D-4475-9445-E5F5B63A01ED} (MySpaceOutlookContactFinder Class) - http://invites.myspace.com/invites/M...tactFinder.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tradeservice.webex.com/clien...rt/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\eAcceleration\Framework\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\eAcceleration\Framework\eac_productsvc .exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Power Probes Advanced (PowerProbesAdvanced) - McCormick Systems - C:\Program Files\McCormick Systems\Power Probes Advanced\Power Probes Service.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\eAcceleration\Framework\eac_svc.exe
O23 - Service: TabQuery Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\TabQuery\tabquery119.exe (file missing)
O23 - Service: TRA-SER License And Update Manager (TSService) - Trade Service Company, LLC - C:\Program Files\TradeService\TRA-SER\Admin\TSService.exe
--
End of file - 13501 bytes

Title: Re: browser hijack
Post by: harry 48 on May 07, 2010, 01:39:09 PM

post the malware log and goto here and post the sas log

http://www.computerhope.com/forum/index.php/topic,46313.0.html

Title: Re: browser hijack
Post by: @@ on May 07, 2010, 02:10:13 PM

Quote

go to here and complete and post 3 logs

http://www.computerhope.com/forum/index.php/topic,46313.0.html

With all due respect to those who wrote the information in the link. But I think that all your answers are to give the link. So afraid to close this section and replace it with linkage
 ;D ;D ;D ;D ;D
closed

Title: Re: browser hijack
Post by: SuperDave on May 08, 2010, 01:41:11 PM

Hello  and welcome to

Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger  (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
==================================
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
====================================
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see  How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Title: Re: browser hijack
Post by: danldo on May 11, 2010, 05:17:34 PM

Sorry I have been out of pocket.
I followed the instruction and here is the combofix log.
It is still redirecting.
thanks,
ComboFix 10-05-10.05 - Darrel 05/11/2010  15:55:54.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1473 [GMT -5:00]
Running from: c:\documents and settings\Darrel\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\command
c:\windows\command\EXTRACT.PIF
c:\windows\system32\1387958124
c:\windows\system32\mscomct2.dat
c:\windows\system32\msrfcint.dat
c:\windows\system32\ntrdectr.dat
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\unrar.exe

.
(((((((((((((((((((((((((   Files Created from 2010-04-11 to 2010-05-11  )))))))))))))))))))))))))))))))
.

2010-05-07 22:01 . 2010-05-07 22:01   --------   d-----w-   c:\program files\iPod
2010-05-07 22:00 . 2010-05-07 22:02   --------   d-----w-   c:\program files\iTunes
2010-05-07 21:53 . 2010-05-07 21:53   --------   d-----w-   c:\program files\Bonjour
2010-05-07 21:49 . 2010-05-07 21:49   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-07 17:28 . 2010-02-28 01:46   3691384   ----a-w-   c:\documents and settings\Darrel\Application Data\Simply Super Software\Trojan Remover\idb2.exe
2010-05-07 17:17 . 2010-05-07 20:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-07 17:17 . 2010-05-07 17:27   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-05-07 17:11 . 2006-06-19 17:01   69632   ----a-w-   c:\windows\system32\ztvcabinet.dll
2010-05-07 17:11 . 2006-05-25 19:52   162304   ----a-w-   c:\windows\system32\ztvunrar36.dll
2010-05-07 17:11 . 2005-08-26 05:50   77312   ----a-w-   c:\windows\system32\ztvunace26.dll
2010-05-07 17:11 . 2003-02-03 00:06   153088   ----a-w-   c:\windows\system32\UNRAR3.dll
2010-05-07 17:11 . 2002-03-06 05:00   75264   ----a-w-   c:\windows\system32\unacev2.dll
2010-05-07 17:11 . 2010-05-07 17:12   --------   d-----w-   c:\program files\Trojan Remover
2010-05-07 17:11 . 2010-05-07 17:11   --------   d-----w-   c:\documents and settings\Darrel\Application Data\Simply Super Software
2010-05-07 17:11 . 2010-05-07 17:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Simply Super Software
2010-05-07 15:42 . 2010-05-07 15:42   --------   d-----w-   c:\documents and settings\Darrel\Local Settings\Application Data\Threat Expert
2010-05-07 15:17 . 2010-05-11 20:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2010-05-07 15:16 . 2010-05-11 20:42   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 21:38 . 2010-02-24 15:16   181632   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-06 21:36 . 2010-05-06 21:36   --------   d-----w-   c:\program files\Windows Defender
2010-05-06 20:42 . 2010-05-06 20:42   --------   d-----w-   c:\program files\ESET
2010-05-06 19:55 . 2010-05-06 19:55   --------   d-----w-   c:\program files\SpywareBlaster
2010-05-06 19:54 . 2010-05-06 19:54   --------   d-----w-   c:\program files\Zamaan's Software
2010-05-06 19:52 . 2010-05-06 19:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\IObit
2010-05-05 17:50 . 2010-05-05 17:50   --------   d-----w-   c:\program files\Trend Micro
2010-04-22 13:23 . 2010-04-22 13:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-22 13:14 . 2010-04-22 14:22   --------   d-----w-   c:\program files\QuickTime
2010-04-22 12:55 . 2010-04-22 12:55   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-15 12:20 . 2010-04-15 12:20   96512   ----a-w-   c:\windows\system32\drivers\flczegjd.sys
2010-04-15 12:18 . 2010-05-07 15:46   --------   d-----w-   c:\windows\system32\MpEngineStore

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 21:12 . 2010-01-18 22:55   --------   d-----w-   c:\documents and settings\Darrel\Application Data\LimeWire
2010-05-11 21:11 . 2008-04-07 19:28   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-05-11 17:59 . 2004-03-12 23:28   50948   ----a-w-   c:\documents and settings\Darrel\Application Data\wklnhst.dat
2010-05-11 13:11 . 2008-11-14 14:06   --------   d-----w-   c:\program files\LogMeIn
2010-05-08 14:38 . 2007-06-15 17:35   --------   d-----w-   c:\program files\NECA2007
2010-05-07 22:01 . 2008-03-03 22:55   --------   d-----w-   c:\program files\Common Files\Apple
2010-05-07 18:18 . 2004-03-12 01:19   --------   d-----w-   c:\program files\Aveo
2010-05-07 18:17 . 2008-07-24 14:42   --------   d-----w-   c:\program files\Acceleration Software
2010-05-07 16:02 . 2009-01-21 19:44   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-06 22:05 . 2010-02-24 20:47   --------   d-----w-   c:\program files\TabQuery
2010-05-06 20:13 . 2006-10-24 18:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\nView_Profiles
2010-05-06 19:52 . 2008-07-22 19:01   --------   d-----w-   c:\program files\IObit
2010-04-29 20:39 . 2009-01-21 19:44   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-01-21 19:44   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-28 21:35 . 2010-01-18 22:55   --------   d-----w-   c:\program files\LimeWire
2010-04-22 12:59 . 2008-03-24 18:57   --------   d-----w-   c:\program files\Safari
2010-04-21 13:53 . 2010-03-25 12:56   242896   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-04-19 14:13 . 2007-07-03 15:41   102833   -c--a-w-   c:\windows\HPFins09.dat
2010-04-16 12:36 . 2009-01-21 21:12   --------   d-----w-   c:\program files\CCleaner
2010-04-08 18:20 . 2010-04-08 18:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-04-06 18:29 . 2009-01-27 17:24   --------   d-----w-   c:\program files\Office10
2010-04-06 18:18 . 2006-02-14 13:30   --------   d-----w-   c:\program files\Yahoo!
2010-04-06 13:02 . 2009-08-26 20:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2010-03-31 12:53 . 2004-06-25 11:17   --------   d-----w-   c:\program files\Common Files\Java
2010-03-31 12:53 . 2010-03-31 12:53   503808   ----a-w-   c:\documents and settings\Darrel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-376d9e1d-n\msvcp71.dll
2010-03-31 12:53 . 2010-03-31 12:53   499712   ----a-w-   c:\documents and settings\Darrel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-376d9e1d-n\jmc.dll
2010-03-31 12:53 . 2010-03-31 12:53   348160   ----a-w-   c:\documents and settings\Darrel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-376d9e1d-n\msvcr71.dll
2010-03-31 12:53 . 2010-03-31 12:53   61440   ----a-w-   c:\documents and settings\Darrel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-455d9db6-n\decora-sse.dll
2010-03-31 12:53 . 2010-03-31 12:53   12800   ----a-w-   c:\documents and settings\Darrel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-455d9db6-n\decora-d3d.dll
2010-03-31 12:53 . 2004-04-08 20:43   --------   d-----w-   c:\program files\Java
2010-03-25 12:56 . 2010-03-25 12:56   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-03-25 12:56 . 2010-03-25 12:56   216200   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-03-25 12:56 . 2010-03-25 12:56   29512   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-03-25 12:53 . 2010-03-25 12:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-03-25 12:53 . 2009-01-26 01:14   --------   d-----w-   c:\program files\AVG
2010-03-12 17:03 . 2004-03-13 21:57   120208   -c--a-w-   c:\documents and settings\Darrel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2009-01-25 22:13   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2009-01-25 22:14   17408   ------w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2009-01-25 22:13   430080   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-09 09:28 . 2009-02-13 22:50   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-24 13:11 . 2009-01-25 22:13   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-12 04:33 . 2009-01-25 22:14   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2009-01-25 22:13   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
2001-12-03 23:09 . 2009-11-02 21:23   90112   ----a-w-   c:\program files\internet explorer\plugins\DjVuControl.dll
2010-01-23 18:49 . 2010-01-23 18:49   0   --sha-w-   c:\windows\system32\43.tmp
2010-01-24 14:49 . 2010-01-23 18:49   0   --sha-w-   c:\windows\system32\44.tmp
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 118784]
"nwiz"="nwiz.exe" [2007-04-19 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BHR"="c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [2006-10-25 9375744]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Darrel\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-2-8 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-25 12:56   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 12:43   87352   ----a-w-   c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 15:51   24638   ------w-   c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
path=
backup=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Canon\\Network ScanGear\\SgTool.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\McCormick Systems\\Power Probes Advanced\\Power Probes Utility.exe"=
"c:\\Program Files\\McCormick Systems\\Power Probes Advanced\\Power Probes Update.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\MSACCESS.EXE"=
"c:\\Program Files\\McCormick Systems\\Office10\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Office10\\MSACCESS.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [3/11/2004 11:52 AM 77056]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/25/2010 7:56 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/25/2010 7:56 AM 242896]
R2 Asusgio;Asusgio;c:\program files\ASUS\Cool & Quiet\Asusgio.sys [3/11/2004 3:17 PM 52776]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/25/2010 7:54 AM 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [5/6/2010 2:52 PM 311568]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 MSSQL$MSDE01;SQL Server (MSDE01);c:\program files\TradeService\TRA-SER\Database\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 PowerProbesAdvanced;Power Probes Advanced;c:\program files\McCormick Systems\Power Probes Advanced\Power Probes Service.exe [12/15/2009 11:58 AM 231952]
R2 TSService;TRA-SER License And Update Manager;c:\program files\TradeService\TRA-SER\Admin\TSService.exe [2/11/2009 12:25 PM 149976]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 CorexCardScan500;Corex CardScan 500;c:\windows\system32\drivers\SLCOREX.SYS [3/13/2004 11:48 AM 17448]
S2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eAcceleration\Framework\eac_svc.exe [7/24/2008 9:41 AM 113920]
S2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\eAcceleration\Framework\eac_productsvc.exe [7/24/2008 9:41 AM 263504]
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);c:\windows\system32\drivers\ezusb.sys [3/11/2004 9:47 AM 132484]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:48 AM 135664]
S2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\eAcceleration\Framework\eac_svc.exe [7/24/2008 9:41 AM 113920]
S2 TabQuery Service;TabQuery Service;"c:\documents and settings\All Users\Application Data\TabQuery\tabquery119.exe" "c:\program files\TabQuery\tabquery.dll" Service --> c:\documents and settings\All Users\Application Data\TabQuery\tabquery119.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6634152bde.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:48]

2010-05-11 c:\windows\Tasks\TSOLnkUpdAlertTask.job
- c:\program files\TradeService\Trade Service Online Link Update Manager\TSOLnkUpdAlert.exe [2009-07-07 18:23]

2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{3784CBF0-7DCB-47EB-8052-6670F0C7BC50}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 00:36]

2010-05-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 03:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CA127633-F57D-4475-9445-E5F5B63A01ED} - hxxp://invites.myspace.com/invites/MySpace.OutlookContactFinder.cab
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A7CE8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba714b3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: 3Com Gigabit LOM (3C940) -> SendCompleteHandler -> NDIS.sys @ 0xba5b8bb0
 PacketIndicateHandler -> NDIS.sys @ 0xba5c5a21
 SendHandler -> NDIS.sys @ 0xba5a387b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\hasplms.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\IObit\IObit Security 360\is360.exe
.
**************************************************************************
.
Completion time: 2010-05-11  16:19:32 - machine was rebooted
ComboFix-quarantined-files.txt  2010-05-11 21:19

Pre-Run: 36,086,841,344 bytes free
Post-Run: 36,517,662,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 77285A8DE67F07B38931F7F7358942BF

Title: Re: browser hijack
Post by: SuperDave on May 11, 2010, 06:09:30 PM

It would appear from the ComboFix log that you are possibly running three Anti-Virus programs on your computer: AVG Anti-Virus Free,
Spyware Doctor with AntiVirus and StopSign Antivirus. You should have only one AV program running on your computer. If this is so, two of them will have to be installed. If you need any help with this, please let me know.
===================================
P2P - I see you have P2P software installed on your machine. (LimeWire) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
=====================================
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  
  Quote

  KillAll::
  
  File::
  c:\windows\system32\43.tmp
  c:\windows\system32\44.tmp
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  (http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

=====================================
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\unacev2.dll
c:\windows\system32\drivers\flczegjd.sys

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

===============================================

* Download the following tool: RootRepeal - Rootkit Detector (http://rootrepeal.googlepages.com/)
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

Title: Re: browser hijack
Post by: danldo on May 17, 2010, 07:11:46 AM

I finally just reformated and reloaded.

Title: Re: browser hijack
Post by: danldo on May 17, 2010, 07:12:43 AM

Thank You

Title: Re: browser hijack
Post by: SuperDave on May 17, 2010, 01:07:09 PM

You're welcome and don't forget to only put one Anti-Virus program on your computer.