Author Topic: IE 7 Redirects (Read 14915 times)

cd304 · « **on:** May 10, 2010, 08:50:08 AM »

A few weeks ago started having problems with this Windows XP system. Random browser windows were popping up and it was running very slow. Ran Computer Associates AntiVirus & AntiSpyware but not much changed. Ran SuperAntiSpyware and MalwareBytes and some things were cleaned up so I (mistakenly) thought it was better.

Am now getting redirected most of the time when doing Yahoo searches so (obviously) there are still issues with the system. Not sure what else to do so I am asking for help!

Here is the latest round of logs:

SUPERANTISPYWARE:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/04/2010 at 02:55 PM

Application Version : 4.34.1000

Core Rules Database Version : 4888
Trace Rules Database Version: 2700

Scan type : Complete Scan
Total Scan Time : 03:15:06

Memory items scanned : 507
Memory threats detected : 0
Registry items scanned : 7479
Registry threats detected : 0
File items scanned : 57773
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt

MALWAREBYTES ANTI-SPYWARE:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4069

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/5/2010 10:26:33 AM
mbam-log-2010-05-05 (10-26-33).txt

Scan type: Quick scan
Objects scanned: 135238
Time elapsed: 33 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:06 AM, on 5/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {63CC63C6-1AE1-491C-B96A-812A7950A1EC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [\CARL-PC\EPSON Stylus CX7400 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_S8.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.vectorvest.com/install/vvonlineus/setup.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216821732953
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://asp1.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://oxps.webex.com/client/T23L/event/ieatgpc.cab
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINNT\system32\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pantech&Curitel Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10016 bytes

Dr Jay · « **Reply #1 on:** May 11, 2010, 10:22:46 PM »

GMER

Note about this tool:

This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

cd304 · « **Reply #2 on:** May 13, 2010, 11:41:50 AM »

DragonMaster Jay - Thank you for your help with these problems!

Ok, things got a bit worse before I started to use GMER. When I booted up the system to follow the steps listed, a fake anti-virus program started running (Anti-Spyware Soft). I was unable to get Ctrl-Atl-Del to bring up the task manager so I eventually power cycled the system. The next time I powered up, I entered Ctrl-Alt-Del as soon as the system came up. Sure enough, Anti-Spyware Soft started running again, but I was able to kill the process.

The next issue I encountered was that Internet Explorer no longer worked. Regardless of the address I used, it kept giving error messages (connection problems, invalid addresses, etc...). Fortunately, I have an old copy of Netscape on the system and, thankfully, it worked. I downloaded and ran GMER and the results are posted below. It started to run other anti-virus scans, but thought it best to await your directions!

Note: I tried to post the log in the text but it far exceeded the character limits of posts. The log is attached...

[recovering disk space - old attachment deleted by admin]

Dr Jay · « **Reply #3 on:** May 13, 2010, 12:11:39 PM »

Please do not attach logs. Post them on the messages.

You have a severe infection on the system.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

Back up all important data on the machine.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:

Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.

From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for potential identity theft caused by the infections.

=============================

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
killall::

TDL::
C:\WINNT\system32\drivers\pcmcia.sys

Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

NOTE:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

cd304 · « **Reply #4 on:** May 25, 2010, 10:01:28 AM »

Here are the results from combo-fix:

ComboFix 10-05-24.07 - Administrator 05/25/2010 11:20:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.251 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\gkgryshqb
c:\documents and settings\NetworkService\Local Settings\Application Data\gkgryshqb\mwloacktssd.exe
c:\winnt\system32\ATHPRXY(2).DLL
c:\winnt\system32\VB40032.DLL

Infected copy of c:\winnt\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\winnt\system32\DRIVERS\pcmcia.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\winnt\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\winnt\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\winnt\system32\DRIVERS\pcmcia.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\winnt\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\winnt\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\winnt\system32\DRIVERS\pcmcia.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\winnt\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-05 15:20 . 2010-05-05 15:20   --------   d-----w-   c:\program files\Trend Micro
2010-05-05 14:35 . 2010-04-12 21:29   411368   ----a-w-   c:\winnt\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 15:39 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k7
2010-05-25 15:39 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k6
2010-05-25 15:39 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k5
2010-05-25 15:39 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k4
2010-05-25 15:39 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k3
2010-05-25 15:39 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k2
2010-05-25 15:39 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k1
2010-05-25 15:39 . 2008-07-23 18:16   156630   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k0
2010-05-12 15:01 . 2010-04-06 12:10   664   ----a-w-   c:\winnt\system32\d3d9caps.dat
2010-05-05 15:07 . 2010-05-05 15:07   79488   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-05-05 15:07 . 2010-05-05 15:07   152576   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-05-05 14:50 . 2003-07-31 19:26   --------   d-----w-   c:\program files\Java
2010-05-05 14:41 . 2005-02-17 22:49   --------   d-----w-   c:\program files\Common Files\Java
2010-05-05 14:36 . 2010-05-05 14:36   503808   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-463ca356-n\msvcp71.dll
2010-05-05 14:36 . 2010-05-05 14:36   61440   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-207644ed-n\decora-sse.dll
2010-05-05 14:36 . 2010-05-05 14:36   499712   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-463ca356-n\jmc.dll
2010-05-05 14:36 . 2010-05-05 14:36   348160   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-463ca356-n\msvcr71.dll
2010-05-05 14:36 . 2010-05-05 14:36   12800   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-207644ed-n\decora-d3d.dll
2010-05-05 13:50 . 2010-03-05 15:05   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-04 15:38 . 2010-03-04 16:43   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 15:29 . 2010-03-04 15:58   --------   d-----w-   c:\program files\CCleaner
2010-04-29 19:39 . 2010-03-05 15:06   38224   ----a-w-   c:\winnt\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-05 15:05   20952   ----a-w-   c:\winnt\system32\drivers\mbam.sys
2010-04-20 18:08 . 2002-08-29 07:09   120192   ----a-w-   c:\winnt\system32\drivers\pcmcia.sys
2010-04-19 19:30 . 2008-09-29 16:46   --------   d-----w-   c:\program files\Interbank FX Trader 4
2010-04-18 22:19 . 2010-04-18 22:19   5430   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3ED2A2F6-8775-4ACD-9356-EAE4BEDE0509}\_E5D2003571905B71FEBBC9.exe
2010-04-18 22:19 . 2010-04-18 22:19   5430   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3ED2A2F6-8775-4ACD-9356-EAE4BEDE0509}\_CA5F55103AD4154ED344AC.exe
2010-04-18 22:19 . 2010-04-18 22:19   5430   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3ED2A2F6-8775-4ACD-9356-EAE4BEDE0509}\_A46C3B54F2C9871CD81DAF.exe
2010-04-18 22:18 . 2008-06-18 23:55   --------   d-----w-   c:\program files\ARLT
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_C6D28B8AA1A9ABA5E07174.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_DC23633F7DD39500B4E7F9.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_6FEFF9B68218417F98F549.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_6860B031EE4AA9CB415D4C.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_5787B9EABABEEE425FCB87.exe
2010-04-14 18:53 . 2008-09-11 01:33   --------   d-----w-   c:\program files\QuickTime
2010-04-14 18:53 . 2008-08-12 15:31   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-04-14 18:53 . 2008-10-23 01:45   --------   d-----w-   c:\program files\iTunes
2010-04-14 18:53 . 2002-11-08 09:08   --------   d-----w-   c:\program files\PhoneTools
2010-04-14 15:04 . 2010-03-04 16:41   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-04-14 14:31 . 2010-04-12 19:44   112   ----a-w-   c:\documents and settings\All Users\Application Data\7oLQoNBb8.dat
2010-04-09 13:26 . 2008-08-12 15:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 14:46 . 2007-03-28 01:29   --------   d-----w-   c:\program files\Citrix
2010-04-08 14:46 . 2005-12-04 18:39   --------   d-----w-   c:\program files\Google
2010-04-08 14:33 . 2009-07-08 15:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2010-04-08 14:12 . 2009-07-08 15:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\skypePM
2010-04-07 15:29 . 2010-03-27 21:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-04-07 14:40 . 2006-02-20 18:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-06 12:10 . 2010-04-06 12:10   552   ----a-w-   c:\winnt\system32\d3d8caps.dat
2010-03-31 00:08 . 2010-03-31 00:08   --------   d-----w-   c:\documents and settings\LocalService\Application Data\McAfee
2010-03-27 21:37 . 2010-03-27 21:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-03-11 12:38 . 2004-02-06 22:05   832512   ----a-w-   c:\winnt\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56   78336   ----a-w-   c:\winnt\system32\ieencode.dll
2010-03-11 12:38 . 1980-01-01 06:00   17408   ----a-w-   c:\winnt\system32\corpol.dll
2010-03-09 11:09 . 1980-01-01 06:00   430080   ----a-w-   c:\winnt\system32\vbscript.dll
2010-03-04 16:43 . 2010-03-04 16:43   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2008-07-23 16:46 . 2008-07-23 16:46   10663   ----a-w-   c:\program files\Common Files\gawuficifi.dl
.

Code: [Select]

<pre>
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID .exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem .exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade .exe
c:\program files\CA\CA Internet Security Suite\cctray\cctray .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Netscape\Netscape\Netscp .exe
c:\program files\PhoneTools\CapFax .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\winnt\system32\SK9910DM .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [N/A]
"Mozilla Quick Launch"="c:\program files\Netscape\Netscape\Netscp.exe" [N/A]
"\CARL-PC\EPSON Stylus CX7400 Series"="c:\winnt\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-07 65536]
"Keyboard Preload Check"="c:\oemdrvrs\KEYB\Preload.exe" [N/A]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-07-31 1193200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Instant Wireless Configuration Utility.lnk - c:\program files\Linksys\WPC11 Config Utility\WPC11Cfg.exe [2004-1-21 176128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-11-8 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 17:30   79368   ----a-w-   c:\winnt\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\CentraOne\\bin\\launcher.exe"=
"c:\\Program Files\\GlobalTec Solutions, LLP\\OptionHunter\\optionhunter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 KmxStart;KmxStart;c:\winnt\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\winnt\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\winnt\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\winnt\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 KmxCF;KmxCF;c:\winnt\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\winnt\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [11/8/2002 5:13 AM 6736]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\winnt\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 mv2;mv2;c:\winnt\system32\drivers\mv2.sys [7/30/2009 3:27 PM 8792]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\winnt\system32\drivers\pwi_bus.sys [6/13/2007 8:55 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\winnt\system32\drivers\pwi_mdfl.sys [6/13/2007 8:55 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\winnt\system32\drivers\pwi_mdm.sys [6/13/2007 8:55 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\winnt\system32\drivers\pwi_oflt.sys [6/13/2007 8:55 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\winnt\system32\drivers\pwi_serd.sys [6/13/2007 8:55 PM 69632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\winnt\system32\drivers\LSWLN51.sys [1/21/2004 12:15 PM 50688]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCANDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-15 c:\winnt\Tasks\CAAntiSpywareScan_Daily as Administrator at 2 02 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]

2003-08-15 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-11-08 15:04]

2010-05-25 c:\winnt\Tasks\User_Feed_Synchronization-{08E89116-8597-4F58-A253-0C36183D8D73}.job
- c:\winnt\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\winnt\system32\VetRedir.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\Gateway\Do More\DoMoreRunExe.CAB
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://asp1.centra.com/SiteRoots/main/Install/CentraDownloader.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BETATEST-CTEQ-TRDE-H3R3-2UN1NST4LL1T_is1 - c:\program files\GlobalTec Solutions
AddRemove-BETATEST-WTST-OCKS-H3R3-2UN1NST4LL1T_is1 - c:\program files\GlobalTec Solutions
AddRemove-C0MM4NDT-L00K-FXFX-H3R3-UN1NST4LLTH3_is1 - c:\program files\GlobalTec Solutions
AddRemove-FB7AB7D4-B1C0-4384-BAF1-A0F7566BE4B7_is1 - c:\program files\GlobalTec Solutions
AddRemove-FX Charts PlugIn - c:\progra~1\CANDLE~1\TS\UNWISE.EXE
AddRemove-News PlugIn - c:\progra~1\CANDLE~1\TS\UNINST~1\UNWISE.EXE
AddRemove-W1Z3F33D-CD0C-4AC4-86B4-X11E5511AA18_is1 - c:\program files\GlobalTec Solutions

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 11:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\WININET.dll
c:\winnt\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(844)
c:\winnt\system32\VetRedir.dll
c:\winnt\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(1072)
c:\winnt\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\winnt\system32\bmwebcfg.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\System32\nvsvc32.exe
c:\program files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\winnt\system32\wscntfy.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\winnt\GWMDMMSG.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-25 11:57:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-25 15:57

Pre-Run: 94,517,284,864 bytes free
Post-Run: 94,773,297,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C6DCA18BBFAE5683D6C04615EFB30DC2

Dr Jay · « **Reply #5 on:** May 25, 2010, 01:04:12 PM »

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
killall::

rootkit::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

cd304 · « **Reply #6 on:** May 26, 2010, 09:52:44 AM »

Latest comb-fix log:

ComboFix 10-05-25.05 - Administrator 05/26/2010 11:17:49.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.230 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\winnt\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\winnt\ERDNT\cache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-05 15:20 . 2010-05-05 15:20   --------   d-----w-   c:\program files\Trend Micro
2010-05-05 14:35 . 2010-04-12 21:29   411368   ----a-w-   c:\winnt\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 15:30 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k7
2010-05-26 15:30 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k6
2010-05-26 15:30 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k5
2010-05-26 15:30 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k4
2010-05-26 15:30 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k3
2010-05-26 15:30 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k2
2010-05-26 15:30 . 2008-07-23 18:16   64   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k1
2010-05-26 15:30 . 2008-07-23 18:16   156630   ----a-w-   c:\winnt\system32\drivers\kmxcfg.u2k0
2010-05-12 15:01 . 2010-04-06 12:10   664   ----a-w-   c:\winnt\system32\d3d9caps.dat
2010-05-05 15:07 . 2010-05-05 15:07   79488   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-05-05 15:07 . 2010-05-05 15:07   152576   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-05-05 14:50 . 2003-07-31 19:26   --------   d-----w-   c:\program files\Java
2010-05-05 14:41 . 2005-02-17 22:49   --------   d-----w-   c:\program files\Common Files\Java
2010-05-05 14:36 . 2010-05-05 14:36   503808   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-463ca356-n\msvcp71.dll
2010-05-05 14:36 . 2010-05-05 14:36   61440   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-207644ed-n\decora-sse.dll
2010-05-05 14:36 . 2010-05-05 14:36   499712   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-463ca356-n\jmc.dll
2010-05-05 14:36 . 2010-05-05 14:36   348160   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-463ca356-n\msvcr71.dll
2010-05-05 14:36 . 2010-05-05 14:36   12800   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-207644ed-n\decora-d3d.dll
2010-05-05 13:50 . 2010-03-05 15:05   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-04 15:38 . 2010-03-04 16:43   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 15:29 . 2010-03-04 15:58   --------   d-----w-   c:\program files\CCleaner
2010-04-29 19:39 . 2010-03-05 15:06   38224   ----a-w-   c:\winnt\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-05 15:05   20952   ----a-w-   c:\winnt\system32\drivers\mbam.sys
2010-04-20 18:08 . 2002-08-29 07:09   120192   ----a-w-   c:\winnt\system32\drivers\pcmcia.sys
2010-04-19 19:30 . 2008-09-29 16:46   --------   d-----w-   c:\program files\Interbank FX Trader 4
2010-04-18 22:19 . 2010-04-18 22:19   5430   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3ED2A2F6-8775-4ACD-9356-EAE4BEDE0509}\_E5D2003571905B71FEBBC9.exe
2010-04-18 22:19 . 2010-04-18 22:19   5430   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3ED2A2F6-8775-4ACD-9356-EAE4BEDE0509}\_CA5F55103AD4154ED344AC.exe
2010-04-18 22:19 . 2010-04-18 22:19   5430   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{3ED2A2F6-8775-4ACD-9356-EAE4BEDE0509}\_A46C3B54F2C9871CD81DAF.exe
2010-04-18 22:18 . 2008-06-18 23:55   --------   d-----w-   c:\program files\ARLT
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_C6D28B8AA1A9ABA5E07174.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_DC23633F7DD39500B4E7F9.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_6FEFF9B68218417F98F549.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_6860B031EE4AA9CB415D4C.exe
2010-04-16 17:45 . 2010-04-16 17:45   32038   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{1AED0E8F-170C-46AD-91C6-E0334DB65A3E}\_5787B9EABABEEE425FCB87.exe
2010-04-14 18:53 . 2008-09-11 01:33   --------   d-----w-   c:\program files\QuickTime
2010-04-14 18:53 . 2008-08-12 15:31   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-04-14 18:53 . 2008-10-23 01:45   --------   d-----w-   c:\program files\iTunes
2010-04-14 18:53 . 2002-11-08 09:08   --------   d-----w-   c:\program files\PhoneTools
2010-04-14 15:04 . 2010-03-04 16:41   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-04-14 14:31 . 2010-04-12 19:44   112   ----a-w-   c:\documents and settings\All Users\Application Data\7oLQoNBb8.dat
2010-04-09 13:26 . 2008-08-12 15:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 14:46 . 2007-03-28 01:29   --------   d-----w-   c:\program files\Citrix
2010-04-08 14:46 . 2005-12-04 18:39   --------   d-----w-   c:\program files\Google
2010-04-08 14:33 . 2009-07-08 15:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2010-04-08 14:12 . 2009-07-08 15:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\skypePM
2010-04-07 15:29 . 2010-03-27 21:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-04-07 14:40 . 2006-02-20 18:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-06 12:10 . 2010-04-06 12:10   552   ----a-w-   c:\winnt\system32\d3d8caps.dat
2010-03-31 00:08 . 2010-03-31 00:08   --------   d-----w-   c:\documents and settings\LocalService\Application Data\McAfee
2010-03-27 21:37 . 2010-03-27 21:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-03-11 12:38 . 2004-02-06 22:05   832512   ----a-w-   c:\winnt\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56   78336   ----a-w-   c:\winnt\system32\ieencode.dll
2010-03-11 12:38 . 1980-01-01 06:00   17408   ----a-w-   c:\winnt\system32\corpol.dll
2010-03-09 11:09 . 1980-01-01 06:00   430080   ----a-w-   c:\winnt\system32\vbscript.dll
2010-03-04 16:43 . 2010-03-04 16:43   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2008-07-23 16:46 . 2008-07-23 16:46   10663   ----a-w-   c:\program files\Common Files\gawuficifi.dl
.

Code: [Select]

<pre>
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID .exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem .exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade .exe
c:\program files\CA\CA Internet Security Suite\cctray\cctray .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Netscape\Netscape\Netscp .exe
c:\program files\PhoneTools\CapFax .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\winnt\system32\SK9910DM .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [N/A]
"Mozilla Quick Launch"="c:\program files\Netscape\Netscape\Netscp.exe" [N/A]
"\CARL-PC\EPSON Stylus CX7400 Series"="c:\winnt\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-07 65536]
"Keyboard Preload Check"="c:\oemdrvrs\KEYB\Preload.exe" [N/A]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-07-31 1193200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Instant Wireless Configuration Utility.lnk - c:\program files\Linksys\WPC11 Config Utility\WPC11Cfg.exe [2004-1-21 176128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-11-8 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 17:30   79368   ----a-w-   c:\winnt\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\CentraOne\\bin\\launcher.exe"=
"c:\\Program Files\\GlobalTec Solutions, LLP\\OptionHunter\\optionhunter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 KmxStart;KmxStart;c:\winnt\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\winnt\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\winnt\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\winnt\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 KmxCF;KmxCF;c:\winnt\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\winnt\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [11/8/2002 5:13 AM 6736]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\winnt\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 mv2;mv2;c:\winnt\system32\drivers\mv2.sys [7/30/2009 3:27 PM 8792]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\winnt\system32\drivers\pwi_bus.sys [6/13/2007 8:55 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\winnt\system32\drivers\pwi_mdfl.sys [6/13/2007 8:55 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\winnt\system32\drivers\pwi_mdm.sys [6/13/2007 8:55 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\winnt\system32\drivers\pwi_oflt.sys [6/13/2007 8:55 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\winnt\system32\drivers\pwi_serd.sys [6/13/2007 8:55 PM 69632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\winnt\system32\drivers\LSWLN51.sys [1/21/2004 12:15 PM 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-15 c:\winnt\Tasks\CAAntiSpywareScan_Daily as Administrator at 2 02 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]

2003-08-15 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-11-08 15:04]

2010-05-25 c:\winnt\Tasks\User_Feed_Synchronization-{08E89116-8597-4F58-A253-0C36183D8D73}.job
- c:\winnt\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\winnt\system32\VetRedir.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\Gateway\Do More\DoMoreRunExe.CAB
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://asp1.centra.com/SiteRoots/main/Install/CentraDownloader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 11:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\WININET.dll
c:\winnt\system32\UmxWnp.Dll
c:\winnt\system32\iphlpapi.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(848)
c:\winnt\system32\VetRedir.dll
c:\winnt\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(2004)
c:\winnt\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\winnt\system32\bmwebcfg.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\System32\nvsvc32.exe
c:\program files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\winnt\system32\wscntfy.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\winnt\GWMDMMSG.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-26 11:48:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 15:48
ComboFix2.txt 2010-05-25 15:57

Pre-Run: 94,762,307,584 bytes free
Post-Run: 94,725,324,800 bytes free

- - End Of File - - BB3F2E0EDF63FCF0D352243732769202

Dr Jay · « **Reply #7 on:** May 26, 2010, 02:15:58 PM »

We got it. Yeah.

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

cd304 · « **Reply #8 on:** May 28, 2010, 07:20:09 AM »

Here is the Kaspersky log:

KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 27, 2010 11:44:39
Records in database: 4188194

Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
A:\
C:\
D:\
X:\

Scan statistics
Objects scanned 89560
Threats found 4
Infected objects found 4
Suspicious objects found 1
Scan duration 05:25:03

File name Threat Threats count
C:\OEMDRVRS\GWMDMU.EXE Infected: Packed.Win32.Krap.ak 1

C:\Program Files\Outlook Express\Inbox.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\gkgryshqb\mwloacktssd.exe.vir Infected: Trojan.Win32.FraudPack.awfe 1

C:\Qoobox\Quarantine\C\WINNT\system32\Drivers\pcmcia.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

C:\WINNT\GWMDMU.exe Infected: Packed.Win32.Krap.ak 1

Selected area has been scanned.

Dr Jay · « **Reply #9 on:** May 28, 2010, 03:12:25 PM »

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):

Code: [Select]

:files
C:\OEMDRVRS\GWMDMU.EXE

:Commands
[emptytemp]
[purity]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
open the newest .log file present, and copy/paste the contents of that document back here in your next post.

cd304 · « **Reply #10 on:** June 01, 2010, 08:08:10 AM »

OTM Log:

All processes killed
========== FILES ==========
C:\OEMDRVRS\GWMDMU.EXE moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 109605715 bytes
->Temporary Internet Files folder emptied: 2997458 bytes
->Java cache emptied: 204649 bytes
->FireFox cache emptied: 3444107 bytes
->Google Chrome cache emptied: 28250462 bytes
->Apple Safari cache emptied: 182911 bytes
->Flash cache emptied: 801 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 245894 bytes
->Flash cache emptied: 1850 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5207250 bytes
->Flash cache emptied: 25740 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 8794129 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 12536 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 20521827 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 171.00 mb

OTM by OldTimer - Version 3.1.12.2 log created on 06012010_095810

Files moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LM0FV5IF\topic,104517.0[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

Dr Jay · « **Reply #11 on:** June 01, 2010, 11:53:23 AM »

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

cd304 · « **Reply #12 on:** June 02, 2010, 08:48:12 AM »

Here is the Security Check log:

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 20
Adobe Flash Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
CA CA Internet Security Suite CA Anti-Virus ISafe.exe
CA CA Internet Security Suite CA Anti-Virus VetMsg.exe
CA CA Internet Security Suite CA Personal Firewall capfsem.exe
````````````````````````````````
DNS Vulnerability Check:
[color]nslookup.exe missing![/color]
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

Dr Jay · « **Reply #13 on:** June 03, 2010, 11:13:37 AM »

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code: [Select]

:filefind
nslookup.exe

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

cd304 · « **Reply #14 on:** June 04, 2010, 07:18:56 AM »

Here is the SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:14 on 04/06/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "nslookup.exe"
C:\WINNT\$NtServicePackUninstall$\nslookup.exe   -----c 76800 bytes   [17:18 22/07/2008]   [07:56 04/08/2004] CE3E0B8C9FB00AE2B214B1C951C4326F
C:\WINNT\ServicePackFiles\i386\nslookup.exe   ------ 76800 bytes   [07:56 04/08/2004]   [00:12 14/04/2008] 4C1718D6FCC35C25D1616247D374672B
C:\WINNT\system32\nslookup.exe   --a--- 76800 bytes   [06:00 01/01/1980]   [00:12 14/04/2008] 4C1718D6FCC35C25D1616247D374672B

-=End Of File=-

Dr Jay · « **Reply #15 on:** June 04, 2010, 04:24:11 PM »

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

===============================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

See this page for more info about malware and prevention.

cd304 · « **Reply #16 on:** June 07, 2010, 08:02:33 AM »

DragonMaster Jay - Thank you for your help and guidance in solving these computer issues!

Dr Jay · « **Reply #17 on:** June 07, 2010, 03:06:28 PM »

You're welcome.

Computer Hope Forum

News:

Author Topic: IE 7 Redirects (Read 14915 times)

cd304

IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects

cd304

Re: IE 7 Redirects

Dr Jay

Re: IE 7 Redirects