Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Rootkit, Winsock Error, Redirected Searches, Task Bar color change  (Read 13495 times)

0 Members and 1 Guest are viewing this topic.

telegra1

    Topic Starter


    Rookie

    I have been battling these problems for several weeks now. I have received much help from these forums but it is now time to post for my own problem. The original infection seems to have been a Fake Alert trojan. This included corruption of the rundll32.exe that disabled just about everything. With help from this forum I was able to repair the rundll32. Since then when doing a McAfee scan I would get an alert telling me McAfee found a root kit. McAfee recommended a program called McAfee Pre Scan which I have not been able to find on their site. I performed Safe Mode scans as advised but McAfee did not detect anything.

    I have installed Comodo Firewall, MalwareBytes, Combiofix, and HijackThis. MalwareBytes does not detect anything in Normal mode or Safe Mode.

    Symptoms are as follows:
    1. Redirected searches, Google, Bing
    2. Mozilla Firefox opening a tab on its own
    3. Task Bar has changed from XP blue to old Windows gray
    4. Unable to connect network, IE advises Winsock error
    5. When I go to Microsoft Updates I am redirected and cannot access MS Update.

    So that is where it stands now. Item 4 is most recent occurring just last night. I tried a Winsock repair tool (LSPFix) that told me that everything was fine with Winsock. Still unable to connect.

    I have a recent HijackThis log. I have deleted a couple items in this log, the omzun.exe, ctfmon.exe and two others that the tool on this site could not identify. I have also deleted MSN Messenger. The log is posted below.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:15:27 PM, on 6/2/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\WINDOWS\vVX6000.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\WINDOWS\system32\java.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
    O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe"
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [{33417D3A-51C4-0B08-676C-0F42AC85C204}] "C:\Documents and Settings\Jon\Application Data\Kuyzwe\omzun.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272167738000
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs:   C:\WINDOWS\system32\guard32.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

    --
    End of file - 7488 bytes
    « Last Edit: June 05, 2010, 10:55:24 AM by telegra1 »

    patio

    • Moderator


    • Genius
    • Maud' Dib
    • Thanked: 1769
      • Yes
    • Experience: Beginner
    • OS: Windows 7
    " Anyone who goes to a psychiatrist should have his head examined. "

    telegra1

      Topic Starter


      Rookie

      Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
      « Reply #2 on: June 05, 2010, 04:18:44 PM »
      OK Thanks, Running the CCleaner did not seem to reveal anything. I did a system restore back to June 1 and so I now have the familiar blue task bar back. I had to do a system restore in order to get back online to download Super AntiSpyware. I ran it first with the default settings and it quarantined 108 cookies and one DLL as shown below. Running it a second time with the recommended settings did not reveal any more problems.

      SUPERAntiSpyware Scan Log
      http://www.superantispyware.com

      Generated 06/05/2010 at 02:00 PM

      Application Version : 4.38.1004

      Core Rules Database Version : 5036
      Trace Rules Database Version: 2848

      Scan type       : Complete Scan
      Total Scan Time : 00:37:55

      Memory items scanned      : 634
      Memory threats detected   : 0
      Registry items scanned    : 5762
      Registry threats detected : 0
      File items scanned        : 22437
      File threats detected     : 109

      Adware.Tracking Cookie
         C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt
         C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
         C:\Documents and Settings\Administrator\Cookies\administrator@advertise[1].txt
         C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
         C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
         C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
         C:\Documents and Settings\Administrator\Cookies\administrator@bizzclick[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[4].txt
         C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@clicksor[4].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][4].txt
         C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@clicksor[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@clicksor[5].txt
         C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt
         C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@clicksor[6].txt
         C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[5].txt
         C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@statcounter[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertise[6].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertise[5].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@burstnet[3].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@yadro[2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][4].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[4].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][6].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][5].txt
         C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[5].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@clickbank[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@clickbank[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
         C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt
         C:\Documents and Settings\NetworkService\Cookies\system@pointroll[4].txt
         C:\Documents and Settings\NetworkService\Cookies\system@pointroll[3].txt
         C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
         C:\Documents and Settings\NetworkService\Cookies\system@pointroll[5].txt
         C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
         C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt

      Trojan.Agent/Gen
         C:\WINDOWS\SYSTEM32\MIREPCMW.DLL

      telegra1

        Topic Starter


        Rookie

        Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
        « Reply #3 on: June 05, 2010, 04:30:13 PM »
        MalwareBytes scan with no detections. I looked through my five previous logs and always no detections.

        Malwarebytes' Anti-Malware 1.46
        www.malwarebytes.org

        Database version: 4171

        Windows 5.1.2600 Service Pack 3
        Internet Explorer 8.0.6001.18702

        6/5/2010 3:31:12 PM
        mbam-log-2010-06-05 (15-31-12).txt

        Scan type: Quick scan
        Objects scanned: 131363
        Time elapsed: 5 minute(s), 11 second(s)

        Memory Processes Infected: 0
        Memory Modules Infected: 0
        Registry Keys Infected: 0
        Registry Values Infected: 0
        Registry Data Items Infected: 0
        Folders Infected: 0
        Files Infected: 0

        Memory Processes Infected:
        (No malicious items detected)

        Memory Modules Infected:
        (No malicious items detected)

        Registry Keys Infected:
        (No malicious items detected)

        Registry Values Infected:
        (No malicious items detected)

        Registry Data Items Infected:
        (No malicious items detected)

        Folders Infected:
        (No malicious items detected)

        Files Infected:
        (No malicious items detected)



        telegra1

          Topic Starter


          Rookie

          Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
          « Reply #4 on: June 05, 2010, 07:31:09 PM »
          OK, I have followed the directions and performed the steps as requested. Below is the HJT log file. As well I have attached the log files posted up thread with this post.

          I mentioned earlier that I had restored the blue task bar. At one point I rebooted and the task bar had returned to old style gray. I had to do another sys restore and had to delete old Java files once again. I will do another system restore point before rebooting again.

          Logfile of Trend Micro HijackThis v2.0.2
          Scan saved at 6:22:52 PM, on 6/5/2010
          Platform: Windows XP SP3 (WinNT 5.01.2600)
          MSIE: Internet Explorer v8.00 (8.00.6001.18702)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
          C:\WINDOWS\system32\Ati2evxx.exe
          C:\WINDOWS\system32\svchost.exe
          C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\system32\Ati2evxx.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\McAfee\Common Framework\FrameworkService.exe
          C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
          C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
          C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
          C:\Program Files\McAfee\Common Framework\UdaterUI.exe
          C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
          C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
          C:\WINDOWS\vVX6000.exe
          C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
          C:\Program Files\McAfee\Common Framework\McTray.exe
          C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
          C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
          C:\WINDOWS\system32\ctfmon.exe
          C:\Program Files\Windows Desktop Search\WindowsSearch.exe
          C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
          C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
          C:\WINDOWS\system32\SearchIndexer.exe
          C:\Program Files\Java\jre6\bin\jqs.exe
          C:\WINDOWS\system32\svchost.exe
          C:\Program Files\Trend Micro\HijackThis\sniper.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
          O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
          O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
          O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
          O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
          O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
          O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
          O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
          O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
          O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
          O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
          O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
          O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
          O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
          O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
          O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe"
          O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
          O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
          O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
          O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
          O4 - HKCU\..\Run: [{33417D3A-51C4-0B08-676C-0F42AC85C204}] "C:\Documents and Settings\Jon\Application Data\Kuyzwe\omzun.exe"
          O4 - .DEFAULT User Startup: gyqig.exe (User 'Default user')
          O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
          O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
          O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
          O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
          O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
          O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
          O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
          O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
          O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272167738000
          O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
          O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
          O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
          O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
          O20 - AppInit_DLLs:   C:\WINDOWS\system32\guard32.dll
          O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
          O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
          O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
          O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
          O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
          O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
          O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
          O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
          O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
          O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

          --
          End of file - 7743 bytes


          [recovering disk space - old attachment deleted by admin]

          tgp1994



            Beginner

          • Think happy thoughts and have a nice day.
          • Thanked: 2
            • Yes
          • Experience: Experienced
          • OS: Other
          Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
          « Reply #5 on: June 05, 2010, 09:42:56 PM »
          I think your next step is download the following free Antivirus tools:

          # Avast! Home Edition
          # AVG Free Edition
          # AntiVir Personal
          # Microsoft Security Essentials

          Of course, uninstall any other antivirus first, then install one, scan, clean, remove, and repeat.

          telegra1

            Topic Starter


            Rookie

            Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
            « Reply #6 on: June 06, 2010, 12:14:05 AM »
            I realize that is an option. It seems incompetent for McAffee to detect a rootkit and yet not do anything about it. Their forum includes threads on FakeAlert yet they don't offer a real fix.

            Thanks for the suggestion, I will wait for someone with more mojo ;) to tell me that before I start uninstalling McAfee.

            tgp1994



              Beginner

            • Think happy thoughts and have a nice day.
            • Thanked: 2
              • Yes
            • Experience: Experienced
            • OS: Other
            Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
            « Reply #7 on: June 06, 2010, 09:16:16 AM »
            Well, you know what, I suppose you don't exactly have to uninstall it. You should be able to install any one of those applications along side it. So what Rootkit exactly is McAfee reporting again? They have several removing tools available on their website, and (go figure;) an $80 service for virus removal, which I would not recommend.

            SuperDave

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Thanked: 1020
            • Certifications: List
            • Experience: Expert
            • OS: Windows 10
            Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
            « Reply #8 on: June 06, 2010, 12:39:21 PM »
            Hello  and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

            1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
            2. The fixes are specific to your problem and should only be used for this issue on this machine.
            3. If you don't know or understand something, please don't hesitate to ask.
            4. Please DO NOT run any other tools or scans while I am helping you.
            5. It is important that you reply to this thread. Do not start a new topic.
            6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
            7. Absence of symptoms does not mean that everything is clear.

            Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

            Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

            Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

            Exit out of MessengerDisable then delete the two files that were put on the desktop.

            =========================================

            Open HijackThis and select Do a system scan only

            Place a check mark next to the following entries: (if there)

            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
            R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
            O4 - HKCU\..\Run: [{33417D3A-51C4-0B08-676C-0F42AC85C204}] "C:\Documents and Settings\Jon\Application Data\Kuyzwe\omzun.exe"
            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


            Important: Close all open windows except for HijackThis and then click Fix checked.

            Once completed, exit HijackThis.

            =======================================

            Download ComboFix by sUBs from one of the below links. 

            Important! You MUST save ComboFix to your desktop

            link # 1
            Link # 2

            Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

            Double click on ComboFix.exe & follow the prompts.

            Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

            Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

            When the scan completes it will open a text window.
             
            Post the contents of that log in your next reply.

            Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
            Windows 8 and Windows 10 dual boot with two SSD's

            telegra1

              Topic Starter


              Rookie

              Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
              « Reply #9 on: June 07, 2010, 12:33:02 AM »
              Awesome! I feel like progress is being made. ComboFix detected a rootkit, quarantined it and rebooted. Before scanning with ComboFix I googled a few times without being redirected so that is greatly appreciated. I haven't tried to get to Windows Update yet but I will after posting. Edit:Successful update from MS, three security related updates! Thanks again. 8)

               ComboFix 10-06-06.01 - Jon 06/06/2010  23:12:23.2.2 - x86
              Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2606 [GMT -7:00]
              Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
              AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
              FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
               * Resident AV is active

              .

              (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
              .

              c:\documents and settings\Jon\g2mdlhlpx.exe
              c:\windows\system32\mirepcmw.dll

              Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
              Restored copy from - Kitty had a snack :p
              .
              (((((((((((((((((((((((((   Files Created from 2010-05-07 to 2010-06-07  )))))))))))))))))))))))))))))))
              .

              2010-06-06 00:35 . 2010-04-13 00:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
              2010-06-05 23:47 . 2010-06-05 23:47   --------   d-----w-   c:\windows\system32\wbem\Repository
              2010-06-05 23:43 . 2010-06-05 23:46   --------   d-----w-   c:\documents and settings\Jon\Application Data\Kuyzwe
              2010-06-05 20:17 . 2010-06-05 20:17   --------   d-----w-   c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
              2010-06-05 20:16 . 2010-06-05 23:39   --------   d-----w-   c:\program files\SUPERAntiSpyware
              2010-05-29 02:29 . 2010-06-01 06:12   --------   d-----w-   C:\AstroGeometry

              .
              ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2010-06-07 06:09 . 2010-04-20 17:48   0   ----a-w-   c:\windows\system32\tmp.tmp
              2010-06-07 05:46 . 2010-04-09 08:26   278288   ----a-w-   c:\windows\system32\guard32.dll
              2010-06-07 05:46 . 2010-04-09 08:25   87824   ----a-w-   c:\windows\system32\drivers\inspect.sys
              2010-06-07 05:46 . 2010-04-09 08:25   25240   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
              2010-06-07 05:46 . 2010-04-09 08:25   15464   ----a-w-   c:\windows\system32\drivers\cmderd.sys
              2010-06-07 05:46 . 2010-04-09 08:25   230360   ----a-w-   c:\windows\system32\drivers\cmdGuard.sys
              2010-06-06 00:35 . 2009-06-27 17:06   --------   d-----w-   c:\program files\Java
              2010-06-06 00:18 . 2009-06-27 17:06   --------   d-----w-   c:\program files\Common Files\Java
              2010-06-06 00:03 . 2004-08-04 06:00   42112   ----a-w-   c:\windows\system32\drivers\imapi.sys
              2010-06-05 02:28 . 2009-08-25 05:43   158528   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
              2010-05-31 20:52 . 2009-11-02 06:19   --------   d-----w-   c:\documents and settings\Jon\Application Data\Odbyzi
              2010-05-26 04:53 . 2010-04-23 02:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
              2010-05-24 04:35 . 2010-04-06 14:46   664   ----a-w-   c:\windows\system32\d3d9caps.dat
              2010-05-22 20:31 . 2009-04-28 17:28   --------   d-----w-   c:\program files\McAfee
              2010-05-02 21:28 . 2010-05-02 05:04   --------   d-----w-   c:\program files\Google
              2010-05-02 20:23 . 2010-05-02 20:23   --------   d-----w-   c:\documents and settings\Administrator\Application Data\IObit
              2010-05-02 17:30 . 2010-05-02 05:04   --------   d-----w-   c:\documents and settings\Jon\Application Data\Skype
              2010-05-02 15:52 . 2010-05-02 05:15   --------   d-----w-   c:\documents and settings\Jon\Application Data\skypePM
              2010-05-02 05:15 . 2010-05-02 05:15   48   ---ha-w-   c:\windows\system32\ezsidmv.dat
              2010-05-02 05:03 . 2010-05-02 05:03   --------   d-----r-   c:\program files\Skype
              2010-05-02 05:03 . 2010-05-02 05:03   --------   d-----w-   c:\program files\Common Files\Skype
              2010-05-02 05:03 . 2010-05-02 05:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
              2010-04-30 14:42 . 2010-04-30 14:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\COMODO
              2010-04-30 14:40 . 2010-04-23 03:10   --------   d-----w-   c:\program files\COMODO
              2010-04-30 14:37 . 2010-04-24 18:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Comodo Downloader
              2010-04-30 14:36 . 2010-04-23 03:10   --------   d-----w-   c:\documents and settings\Jon\Application Data\Comodo
              2010-04-29 22:39 . 2010-04-23 02:25   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
              2010-04-29 22:39 . 2010-04-23 02:25   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
              2010-04-23 02:35 . 2010-04-23 02:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
              2010-04-23 02:25 . 2010-04-23 02:25   --------   d-----w-   c:\documents and settings\Jon\Application Data\Malwarebytes
              2010-04-23 02:25 . 2010-04-23 02:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
              2010-04-17 22:44 . 2010-04-17 22:44   --------   d-----w-   c:\program files\Trend Micro
              2010-04-16 05:55 . 2010-04-16 04:58   --------   d-----w-   c:\program files\Windows Live Safety Center
              2010-04-10 04:24 . 2010-04-10 04:24   --------   d-----w-   c:\program files\Support Tools
              2010-04-10 04:24 . 2009-04-24 23:44   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
              2010-03-10 06:15 . 2004-08-04 07:56   420352   ----a-w-   c:\windows\system32\vbscript.dll
              .

              (((((((((((((((((((((((((((((   SnapShot@2010-04-16_04.34.02   )))))))))))))))))))))))))))))))))))))))))
              .
              + 2010-06-07 06:11 . 2010-06-07 06:11   16384              c:\windows\Temp\Perflib_Perfdata_15c.dat
              - 2004-08-04 06:00 . 2010-04-10 18:55   42112              c:\windows\system32\dllcache\imapi.sys
              + 2004-08-04 06:00 . 2010-06-06 00:03   42112              c:\windows\system32\dllcache\imapi.sys
              + 2010-05-02 05:11 . 2010-05-02 05:11   22528              c:\windows\Installer\8846d.msi
              + 2009-08-07 02:23 . 2009-08-07 02:23   215904              c:\windows\system32\muweb.dll
              + 2010-06-06 00:35 . 2010-04-13 00:29   153376              c:\windows\system32\javaws.exe
              + 2010-06-06 00:35 . 2010-04-13 00:29   145184              c:\windows\system32\javaw.exe
              - 2009-09-12 17:14 . 2009-07-25 12:23   145184              c:\windows\system32\javaw.exe
              + 2010-06-06 00:35 . 2010-04-13 00:29   145184              c:\windows\system32\java.exe
              - 2009-09-12 17:14 . 2009-07-25 12:23   145184              c:\windows\system32\java.exe
              - 2008-06-20 11:08 . 2010-02-11 12:02   226880              c:\windows\system32\dllcache\tcpip6.sys
              + 2004-08-04 06:07 . 2010-02-11 12:02   226880              c:\windows\system32\dllcache\tcpip6.sys
              + 2010-06-01 17:08 . 2010-06-01 17:08   348160              c:\windows\system32\config\systemprofile\ntuser.dat
              + 2010-05-02 05:04 . 2010-05-02 05:04   700416              c:\windows\Installer\88464.msi
              + 2010-06-06 00:35 . 2010-06-06 00:35   180224              c:\windows\Installer\2ad1f8.msi
              + 2010-05-02 05:03 . 2010-05-02 05:03   371272              c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
              + 2010-06-05 19:35 . 2010-06-05 23:47   8420340              c:\windows\system32\Restore\rstrlog.dat
              + 2010-05-02 05:03 . 2010-05-02 05:03   1575936              c:\windows\Installer\8845f.msi
              + 2010-04-30 14:40 . 2010-04-30 14:40   3651072              c:\windows\Installer\1c391.msi
              + 2010-04-30 14:37 . 2010-04-30 14:37   1516544              c:\windows\Installer\1c38d.msi
              .
              (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              *Note* empty entries & legit default entries are not shown
              REGEDIT4

              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]
              "{33417D3A-51C4-0B08-676C-0F42AC85C204}"="c:\documents and settings\Jon\Application Data\Kuyzwe\omzun.exe" [2009-10-17 133146]

              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
              "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
              "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
              "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
              "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
              "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
              "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2010-05-07 642856]
              "VX6000"="c:\windows\vVX6000.exe" [2009-06-27 759296]
              "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-09-04 315392]
              "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-07 2039240]
              "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

              c:\documents and settings\Administrator\Start Menu\Programs\Startup\
              ubxo.exe [2010-5-20 132687]

              c:\documents and settings\Jon\Start Menu\Programs\Startup\
              OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

              c:\documents and settings\All Users\Start Menu\Programs\Startup\
              Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

              [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
              "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
              "AppInit_DLLs"=c:\windows\system32\guard32.dll

              [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
              SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirepcmw.dll

              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
              @="Service"

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
              "EnableFirewall"= 0 (0x0)

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
              "%windir%\\system32\\sessmgr.exe"=
              "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
              "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
              "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
              "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
              "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
              "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
              "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
              "67:UDP"= 67:UDP:DHCP Discovery Service

              R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [4/9/2010 1:25 AM 230360]
              R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/9/2010 1:25 AM 25240]
              R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
              R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [9/11/2009 11:39 PM 12032]
              R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [9/11/2009 11:39 PM 39424]
              R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/26/2009 5:21 PM 2069504]
              S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 12:43 PM 204800]
              .
              Contents of the 'Scheduled Tasks' folder

              2010-06-07 c:\windows\Tasks\AWC AutoSweep.job
              - c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-06 21:11]
              .
              .
              ------- Supplementary Scan -------
              .
              IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
              IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
              Trusted Zone: microsoft.com\www.update
              FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\7k49vc2y.default\
              FF - prefs.js: browser.startup.homepage - hxxp://www.sfgate.com/
              FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
              FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
              FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

              ---- FIREFOX POLICIES ----
              FF - user.js: network.cookie.cookieBehavior - 0
              FF - user.js: privacy.clearOnShutdown.cookies - false
              FF - user.js: security.warn_viewing_mixed - false
              FF - user.js: security.warn_viewing_mixed.show_once - false
              FF - user.js: security.warn_submit_insecure - false
              FF - user.js: security.warn_submit_insecure.show_once - false
              c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
              c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
              c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
              c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
              c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
              c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
              c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
              c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
              c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
              c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
              .
              - - - - ORPHANS REMOVED - - - -

              AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Jon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



              **************************************************************************

              catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2010-06-06 23:20
              Windows 5.1.2600 Service Pack 3 NTFS

              detected NTDLL code modification:
              ZwClose, ZwOpenFile

              scanning hidden processes ... 

              scanning hidden autostart entries ...

              scanning hidden files ... 

              scan completed successfully
              hidden files: 0

              **************************************************************************
              .
              --------------------- DLLs Loaded Under Running Processes ---------------------

              - - - - - - - > 'winlogon.exe'(728)
              c:\windows\system32\Ati2evxx.dll
              .
              Completion time: 2010-06-06  23:22:25
              ComboFix-quarantined-files.txt  2010-06-07 06:22
              ComboFix2.txt  2010-04-16 04:37

              Pre-Run: 60,145,414,144 bytes free
              Post-Run: 60,256,358,400 bytes free

              - - End Of File - - 5B1895CC672BFD8BC9CA2192D8A7C7BB


              [recovering disk space - old attachment deleted by admin]
              « Last Edit: June 07, 2010, 12:49:51 AM by telegra1 »

              kristain



                Beginner

                Thanked: 4
                Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
                « Reply #10 on: June 07, 2010, 03:17:58 AM »
                Edited
                « Last Edit: June 07, 2010, 06:31:41 AM by SuperDave »

                SuperDave

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Thanked: 1020
                • Certifications: List
                • Experience: Expert
                • OS: Windows 10
                Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
                « Reply #11 on: June 07, 2010, 05:31:49 PM »
                Re-running ComboFix to remove infections:

                • Close any open browsers.
                • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
                • Open notepad and copy/paste the text in the quotebox below into it:
                  Quote
                  KillAll::

                  File::
                  c:\windows\system32\tmp.tmp

                  DDS::
                  Trusted Zone: microsoft.com\www.update

                • Save this as CFScript.txt, in the same location as ComboFix.exe



                • Referring to the picture above, drag CFScript into ComboFix.exe
                • When finished, it shall produce a log for you at C:\ComboFix.txt
                • Please post the contents of the log in your next reply.

                =============================

                Download GMER Rootkit Detector and save it your desktop.
                 
                * Extract it to your desktop and double-click GMER.exe
                * Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
                * Click the Rootkit tab and then Scan.
                * Don't check the Show All box while scanning in progress!
                * When scanning is finished click Copy.
                * This copies the log to clipboard
                * Post the log in your reply.

                Windows 8 and Windows 10 dual boot with two SSD's

                telegra1

                  Topic Starter


                  Rookie

                  Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
                  « Reply #12 on: June 07, 2010, 10:16:21 PM »
                  Completed the two scans. GMER ended with a popup that said "Scan Stopped!". Not sure if that is normal or not but I did not do anything to stop it.

                  ComboFix 10-06-06.01 - Jon 06/07/2010  19:37:09.3.2 - x86
                  Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2569 [GMT -7:00]
                  Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
                  Command switches used :: c:\documents and settings\Jon\Desktop\CFScript.txt
                  AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
                  FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

                  FILE ::
                  "c:\windows\system32\tmp.tmp"
                  .

                  (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                  .

                  c:\windows\system32\tmp.tmp

                  .
                  (((((((((((((((((((((((((   Files Created from 2010-05-08 to 2010-06-08  )))))))))))))))))))))))))))))))
                  .

                  2010-06-06 00:35 . 2010-04-13 00:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
                  2010-06-05 23:47 . 2010-06-05 23:47   --------   d-----w-   c:\windows\system32\wbem\Repository
                  2010-06-05 23:43 . 2010-06-05 23:46   --------   d-----w-   c:\documents and settings\Jon\Application Data\Kuyzwe
                  2010-06-05 20:17 . 2010-06-05 20:17   --------   d-----w-   c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
                  2010-06-05 20:16 . 2010-06-05 23:39   --------   d-----w-   c:\program files\SUPERAntiSpyware
                  2010-05-29 02:29 . 2010-06-01 06:12   --------   d-----w-   C:\AstroGeometry

                  .
                  ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  2010-06-07 05:46 . 2010-04-09 08:26   278288   ----a-w-   c:\windows\system32\guard32.dll
                  2010-06-07 05:46 . 2010-04-09 08:25   87824   ----a-w-   c:\windows\system32\drivers\inspect.sys
                  2010-06-07 05:46 . 2010-04-09 08:25   25240   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
                  2010-06-07 05:46 . 2010-04-09 08:25   15464   ----a-w-   c:\windows\system32\drivers\cmderd.sys
                  2010-06-07 05:46 . 2010-04-09 08:25   230360   ----a-w-   c:\windows\system32\drivers\cmdGuard.sys
                  2010-06-06 00:35 . 2009-06-27 17:06   --------   d-----w-   c:\program files\Java
                  2010-06-06 00:18 . 2009-06-27 17:06   --------   d-----w-   c:\program files\Common Files\Java
                  2010-06-06 00:03 . 2004-08-04 06:00   42112   ----a-w-   c:\windows\system32\drivers\imapi.sys
                  2010-06-05 02:28 . 2009-08-25 05:43   158528   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
                  2010-05-31 20:52 . 2009-11-02 06:19   --------   d-----w-   c:\documents and settings\Jon\Application Data\Odbyzi
                  2010-05-26 04:53 . 2010-04-23 02:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
                  2010-05-24 04:35 . 2010-04-06 14:46   664   ----a-w-   c:\windows\system32\d3d9caps.dat
                  2010-05-22 20:31 . 2009-04-28 17:28   --------   d-----w-   c:\program files\McAfee
                  2010-05-02 21:28 . 2010-05-02 05:04   --------   d-----w-   c:\program files\Google
                  2010-05-02 20:23 . 2010-05-02 20:23   --------   d-----w-   c:\documents and settings\Administrator\Application Data\IObit
                  2010-05-02 17:30 . 2010-05-02 05:04   --------   d-----w-   c:\documents and settings\Jon\Application Data\Skype
                  2010-05-02 15:52 . 2010-05-02 05:15   --------   d-----w-   c:\documents and settings\Jon\Application Data\skypePM
                  2010-05-02 05:15 . 2010-05-02 05:15   48   ---ha-w-   c:\windows\system32\ezsidmv.dat
                  2010-05-02 05:03 . 2010-05-02 05:03   --------   d-----r-   c:\program files\Skype
                  2010-05-02 05:03 . 2010-05-02 05:03   --------   d-----w-   c:\program files\Common Files\Skype
                  2010-05-02 05:03 . 2010-05-02 05:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
                  2010-04-30 14:42 . 2010-04-30 14:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\COMODO
                  2010-04-30 14:40 . 2010-04-23 03:10   --------   d-----w-   c:\program files\COMODO
                  2010-04-30 14:37 . 2010-04-24 18:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Comodo Downloader
                  2010-04-30 14:36 . 2010-04-23 03:10   --------   d-----w-   c:\documents and settings\Jon\Application Data\Comodo
                  2010-04-29 22:39 . 2010-04-23 02:25   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                  2010-04-29 22:39 . 2010-04-23 02:25   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
                  2010-04-23 02:35 . 2010-04-23 02:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
                  2010-04-23 02:25 . 2010-04-23 02:25   --------   d-----w-   c:\documents and settings\Jon\Application Data\Malwarebytes
                  2010-04-23 02:25 . 2010-04-23 02:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
                  2010-04-17 22:44 . 2010-04-17 22:44   --------   d-----w-   c:\program files\Trend Micro
                  2010-04-16 05:55 . 2010-04-16 04:58   --------   d-----w-   c:\program files\Windows Live Safety Center
                  2010-04-10 04:24 . 2010-04-10 04:24   --------   d-----w-   c:\program files\Support Tools
                  2010-04-10 04:24 . 2009-04-24 23:44   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
                  2010-03-10 06:15 . 2004-08-04 07:56   420352   ----a-w-   c:\windows\system32\vbscript.dll
                  .

                  (((((((((((((((((((((((((((((   SnapShot@2010-04-16_04.34.02   )))))))))))))))))))))))))))))))))))))))))
                  .
                  + 2010-06-08 02:45 . 2010-06-08 02:45   16384              c:\windows\temp\Perflib_Perfdata_5ac.dat
                  - 2008-10-22 09:47 . 2010-01-23 08:11   46080              c:\windows\system32\tzchange.exe
                  + 2008-10-22 09:47 . 2010-04-21 13:28   46080              c:\windows\system32\tzchange.exe
                  - 2004-08-04 06:00 . 2010-04-10 18:55   42112              c:\windows\system32\dllcache\imapi.sys
                  + 2004-08-04 06:00 . 2010-06-06 00:03   42112              c:\windows\system32\dllcache\imapi.sys
                  + 2010-05-02 05:11 . 2010-05-02 05:11   22528              c:\windows\Installer\8846d.msi
                  + 2009-08-07 02:23 . 2009-08-07 02:23   215904              c:\windows\system32\muweb.dll
                  + 2010-06-06 00:35 . 2010-04-13 00:29   153376              c:\windows\system32\javaws.exe
                  + 2010-06-06 00:35 . 2010-04-13 00:29   145184              c:\windows\system32\javaw.exe
                  - 2009-09-12 17:14 . 2009-07-25 12:23   145184              c:\windows\system32\javaw.exe
                  - 2009-09-12 17:14 . 2009-07-25 12:23   145184              c:\windows\system32\java.exe
                  + 2010-06-06 00:35 . 2010-04-13 00:29   145184              c:\windows\system32\java.exe
                  - 2009-04-24 23:42 . 2008-04-11 19:04   691712              c:\windows\system32\inetcomm.dll
                  + 2009-04-24 23:42 . 2010-01-29 15:01   691712              c:\windows\system32\inetcomm.dll
                  - 2008-06-20 11:08 . 2010-02-11 12:02   226880              c:\windows\system32\dllcache\tcpip6.sys
                  + 2004-08-04 06:07 . 2010-02-11 12:02   226880              c:\windows\system32\dllcache\tcpip6.sys
                  - 2009-04-25 10:01 . 2008-04-11 19:04   691712              c:\windows\system32\dllcache\inetcomm.dll
                  + 2009-04-25 10:01 . 2010-01-29 15:01   691712              c:\windows\system32\dllcache\inetcomm.dll
                  + 2010-06-01 17:08 . 2010-06-01 17:08   348160              c:\windows\system32\config\systemprofile\ntuser.dat
                  + 2010-05-02 05:04 . 2010-05-02 05:04   700416              c:\windows\Installer\88464.msi
                  + 2010-06-06 00:35 . 2010-06-06 00:35   180224              c:\windows\Installer\2ad1f8.msi
                  + 2010-05-02 05:03 . 2010-05-02 05:03   371272              c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
                  + 2010-06-05 19:35 . 2010-06-05 23:47   8420340              c:\windows\system32\Restore\rstrlog.dat
                  + 2009-08-13 00:10 . 2010-01-29 15:01   1315328              c:\windows\system32\dllcache\msoe.dll
                  - 2009-08-13 00:10 . 2009-07-10 13:27   1315328              c:\windows\system32\dllcache\msoe.dll
                  + 2010-05-02 05:03 . 2010-05-02 05:03   1575936              c:\windows\Installer\8845f.msi
                  + 2010-04-30 14:40 . 2010-04-30 14:40   3651072              c:\windows\Installer\1c391.msi
                  + 2010-04-30 14:37 . 2010-04-30 14:37   1516544              c:\windows\Installer\1c38d.msi
                  + 2009-04-27 18:02 . 2010-04-30 18:51   32058312              c:\windows\system32\MRT.exe
                  .
                  (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  .
                  *Note* empty entries & legit default entries are not shown
                  REGEDIT4

                  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]
                  "{33417D3A-51C4-0B08-676C-0F42AC85C204}"="c:\documents and settings\Jon\Application Data\Kuyzwe\omzun.exe" [2009-10-17 133146]

                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
                  "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
                  "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
                  "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
                  "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
                  "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
                  "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2010-05-07 642856]
                  "VX6000"="c:\windows\vVX6000.exe" [2009-06-27 759296]
                  "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-09-04 315392]
                  "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-07 2039240]
                  "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

                  c:\documents and settings\Administrator\Start Menu\Programs\Startup\
                  ubxo.exe [2010-5-20 132687]

                  c:\documents and settings\Jon\Start Menu\Programs\Startup\
                  OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

                  c:\documents and settings\All Users\Start Menu\Programs\Startup\
                  Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

                  [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                  "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

                  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
                  "AppInit_DLLs"=c:\windows\system32\guard32.dll

                  [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
                  SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mirepcmw.dll

                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
                  @="Service"

                  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
                  "EnableFirewall"= 0 (0x0)

                  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                  "%windir%\\system32\\sessmgr.exe"=
                  "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
                  "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
                  "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
                  "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
                  "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
                  "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
                  "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

                  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                  "67:UDP"= 67:UDP:DHCP Discovery Service

                  R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [4/9/2010 1:25 AM 230360]
                  R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/9/2010 1:25 AM 25240]
                  R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
                  R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 12:43 PM 204800]
                  R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [9/11/2009 11:39 PM 12032]
                  R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [9/11/2009 11:39 PM 39424]
                  R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/26/2009 5:21 PM 2069504]
                  .
                  Contents of the 'Scheduled Tasks' folder

                  2010-06-08 c:\windows\Tasks\AWC AutoSweep.job
                  - c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-06 21:11]
                  .
                  .
                  ------- Supplementary Scan -------
                  .
                  IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
                  IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
                  FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\7k49vc2y.default\
                  FF - prefs.js: browser.startup.homepage - hxxp://www.sfgate.com/
                  FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
                  FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
                  FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

                  ---- FIREFOX POLICIES ----
                  FF - user.js: network.cookie.cookieBehavior - 0
                  FF - user.js: privacy.clearOnShutdown.cookies - false
                  FF - user.js: security.warn_viewing_mixed - false
                  FF - user.js: security.warn_viewing_mixed.show_once - false
                  FF - user.js: security.warn_submit_insecure - false
                  FF - user.js: security.warn_submit_insecure.show_once - false
                  c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
                  c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
                  c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
                  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
                  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
                  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
                  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
                  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
                  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
                  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
                  .

                  **************************************************************************

                  catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                  Rootkit scan 2010-06-07 19:45
                  Windows 5.1.2600 Service Pack 3 NTFS

                  scanning hidden processes ... 

                  scanning hidden autostart entries ...

                  scanning hidden files ... 

                  scan completed successfully
                  hidden files: 0

                  **************************************************************************
                  .
                  --------------------- DLLs Loaded Under Running Processes ---------------------

                  - - - - - - - > 'winlogon.exe'(564)
                  c:\windows\system32\Ati2evxx.dll

                  - - - - - - - > 'explorer.exe'(2828)
                  c:\windows\system32\WININET.dll
                  c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
                  c:\windows\system32\ieframe.dll
                  c:\windows\system32\webcheck.dll
                  c:\windows\system32\WPDShServiceObj.dll
                  c:\windows\system32\PortableDeviceTypes.dll
                  c:\windows\system32\PortableDeviceApi.dll
                  .
                  ------------------------ Other Running Processes ------------------------
                  .
                  c:\windows\system32\Ati2evxx.exe
                  c:\windows\system32\Ati2evxx.exe
                  c:\program files\Java\jre6\bin\jqs.exe
                  c:\program files\McAfee\Common Framework\FrameworkService.exe
                  c:\windows\system32\java.exe
                  c:\program files\McAfee\Common Framework\naPrdMgr.exe
                  c:\windows\system32\SearchIndexer.exe
                  c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
                  c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
                  c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
                  .
                  **************************************************************************
                  .
                  Completion time: 2010-06-07  19:53:18 - machine was rebooted
                  ComboFix-quarantined-files.txt  2010-06-08 02:53
                  ComboFix2.txt  2010-06-07 06:22
                  ComboFix3.txt  2010-04-16 04:37

                  Pre-Run: 60,252,954,624 bytes free
                  Post-Run: 60,171,567,104 bytes free

                  - - End Of File - - AD4898B434D9F9AEB285CFACD04D6697

                  GMER 1.0.15.15281 - http://www.gmer.net
                  Rootkit scan 2010-06-07 20:56:04
                  Windows 5.1.2600 Service Pack 3
                  Running: gmer.exe; Driver: C:\DOCUME~1\Jon\LOCALS~1\Temp\fgncrfob.sys


                  ---- System - GMER 1.0.15 ----

                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwAdjustPrivilegesToken [0xB761D704]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwConnectPort [0xB761CCA8]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwCreateFile [0xB761D36A]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwCreateKey [0xB761DF58]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwCreatePort [0xB761CB84]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwCreateSection [0xB761FFCC]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwCreateSymbolicLinkObject [0xB762039C]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwCreateThread [0xB761C56C]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwDeleteKey [0xB761D8F0]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwDeleteValueKey [0xB761DAE4]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwDuplicateObject [0xB761C35C]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwEnumerateKey [0xB761E67A]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwEnumerateValueKey [0xB761E8D4]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwLoadDriver [0xB761FA4E]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwMakeTemporaryObject [0xB761CF44]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwOpenFile [0xB761D546]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwOpenKey [0xB761DF48]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwOpenProcess [0xB761BF3C]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwOpenSection [0xB761D1F4]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwOpenThread [0xB761C162]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwQueryKey [0xB761EAF0]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwQueryMultipleValueKey [0xB761EF6E]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwQueryValueKey [0xB761ED10]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwRenameKey [0xB761E492]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwRequestWaitReplyPort [0xB761F4E2]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwSecureConnectPort [0xB761F796]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwSetSecurityObject [0xB761DD20]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwSetSystemInformation [0xB761FD14]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwSetValueKey [0xB761E21A]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwShutdownSystem [0xB761CEDE]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwSystemDebugControl [0xB761D0E0]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwTerminateProcess [0xB761C982]
                  SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO)                            ZwTerminateThread [0xB761C76C]

                  ---- Kernel code sections - GMER 1.0.15 ----

                  .text           ntoskrnl.exe!ZwYieldExecution + 19A                                                                                   804E49F4 4 Bytes  CALL 5778015A
                  .text           ntoskrnl.exe!ZwYieldExecution + 2F6                                                                                   804E4B50 8 Bytes  JMP EF6EB761
                  ?               Combo-Fix.sys                                                                                                         The system cannot find the file specified. !
                  .text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                              section is writeable [0xB99EC000, 0x1C5D58, 0xE8000020]
                  ?               C:\DOCUME~1\Jon\LOCALS~1\Temp\mbr.sys                                                                                 The system cannot find the file specified. !
                  ?               C:\ComboFix\catchme.sys                                                                                               The system cannot find the path specified. !
                  ?               C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                                                            The system cannot find the file specified. !

                  ---- User code sections - GMER 1.0.15 ----

                  .text           C:\WINDOWS\system32\SearchIndexer.exe[240] kernel32.dll!WriteFile                                                     7C810E27 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
                  .text           C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[928] ntdll.dll!NtAllocateVirtualMemory                  7C90CF6E 5 Bytes  JMP 004F7CB0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO)
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] ntdll.dll!NtCreateThread                                7C90D1AE 5 Bytes  JMP 001438BA
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] ntdll.dll!LdrLoadDll                                    7C9163C3 5 Bytes  JMP 00143A83
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] kernel32.dll!GetFileAttributesExW                       7C811195 5 Bytes  JMP 00143B2A
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] USER32.dll!TranslateMessage                             7E418BF6 5 Bytes  JMP 0013508F
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] USER32.dll!GetClipboardData                             7E430DBA 5 Bytes  JMP 001351D1
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WS2_32.dll!closesocket                                  71AB3E2B 5 Bytes  JMP 00133A1B
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WS2_32.dll!send                                         71AB4C27 5 Bytes  JMP 00133A58
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WS2_32.dll!WSASend                                      71AB68FA 5 Bytes  JMP 00133A7E
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] CRYPT32.dll!PFXImportCertStore                          77AEFF8F 5 Bytes  JMP 0013AC94
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetReadFile                            3D94654B 5 Bytes  JMP 00134DD2
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpQueryInfoA                              3D94878D 5 Bytes  JMP 00134E96
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetCloseHandle                         3D949088 5 Bytes  JMP 00134D8A
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetQueryDataAvailable                  3D94BF7F 5 Bytes  JMP 00134E65
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestW                            3D94FABE 5 Bytes  JMP 00134B96
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestA                            3D95EE89 5 Bytes  JMP 00134BEF
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!InternetReadFileExA                         3D963381 5 Bytes  JMP 00134E16
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestExA                          3D9BA70A 5 Bytes  JMP 00134CE9
                  .text           C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1620] WININET.dll!HttpSendRequestExW                          3D9BA763 5 Bytes  JMP 00134C48
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] ntdll.dll!NtCreateThread                              7C90D1AE 5 Bytes  JMP 000838BA
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] ntdll.dll!LdrLoadDll                                  7C9163C3 5 Bytes  JMP 00083A83
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] kernel32.dll!GetFileAttributesExW                     7C811195 5 Bytes  JMP 00083B2A
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] USER32.dll!TranslateMessage                           7E418BF6 5 Bytes  JMP 0007508F
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] USER32.dll!GetClipboardData                           7E430DBA 5 Bytes  JMP 000751D1
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WS2_32.dll!closesocket                                71AB3E2B 5 Bytes  JMP 00073A1B
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WS2_32.dll!send                                       71AB4C27 5 Bytes  JMP 00073A58
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WS2_32.dll!WSASend                                    71AB68FA 5 Bytes  JMP 00073A7E
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] CRYPT32.dll!PFXImportCertStore                        77AEFF8F 5 Bytes  JMP 0007AC94
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetReadFile                          3D94654B 5 Bytes  JMP 00074DD2
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpQueryInfoA                            3D94878D 5 Bytes  JMP 00074E96
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetCloseHandle                       3D949088 5 Bytes  JMP 00074D8A
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetQueryDataAvailable                3D94BF7F 5 Bytes  JMP 00074E65
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestW                          3D94FABE 5 Bytes  JMP 00074B96
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestA                          3D95EE89 5 Bytes  JMP 00074BEF
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!InternetReadFileExA                       3D963381 5 Bytes  JMP 00074E16
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestExA                        3D9BA70A 5 Bytes  JMP 00074CE9
                  .text           C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2168] WININET.dll!HttpSendRequestExW                        3D9BA763 5 Bytes  JMP 00074C48
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtAllocateVirtualMemory                                               7C90CF6E 5 Bytes  JMP 10025D20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtClose                                                               7C90CFEE 5 Bytes  JMP 1001CEC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtCreateFile                                                          7C90D0AE 5 Bytes  JMP 10025DA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtCreateProcess                                                       7C90D14E 5 Bytes  JMP 10025E40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtCreateProcessEx                                                     7C90D15E 5 Bytes  JMP 10025E20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtDeleteFile                                                          7C90D23E 5 Bytes  JMP 10025D60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtFreeVirtualMemory                                                   7C90D38E 5 Bytes  JMP 10025C60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtLoadDriver                                                          7C90D46E 5 Bytes  JMP 10025D00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtOpenFile                                                            7C90D59E 5 Bytes  JMP 10025D80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtProtectVirtualMemory                                                7C90D6EE 5 Bytes  JMP 10025D40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtSetInformationProcess                                               7C90DC9E 5 Bytes  JMP 10025CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtUnloadDriver                                                        7C90DEBE 5 Bytes  JMP 10025CE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!NtWriteVirtualMemory                                                  7C90DFAE 5 Bytes  JMP 10025DC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!RtlAllocateHeap                                                       7C9100C4 5 Bytes  JMP 10025C80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!LdrLoadDll                                                            7C9163C3 5 Bytes  JMP 100234C0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!LdrUnloadDll                                                          7C91738B 5 Bytes  JMP 1001CFE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ntdll.dll!LdrGetProcedureAddress                                                7C917EA8 5 Bytes  JMP 10025CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateFileA                                                        7C801A28 5 Bytes  JMP 10025BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!VirtualProtect                                                     7C801AD4 5 Bytes  JMP 10025940 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryExW                                                     7C801AF5 7 Bytes  JMP 10025BE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryExA                                                     7C801D53 5 Bytes  JMP 10025C00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryA                                                       7C801D7B 5 Bytes  JMP 100259A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateProcessW                                                     7C802336 5 Bytes  JMP 10025DE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateProcessA                                                     7C80236B 5 Bytes  JMP 10025E00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!GetProcAddress                                                     7C80AE40 5 Bytes  JMP 10025C40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadLibraryW                                                       7C80AEEB 5 Bytes  JMP 10025980 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!GetModuleHandleA                                                   7C80B741 5 Bytes  JMP 100259E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!GetModuleHandleW                                                   7C80E4DD 5 Bytes  JMP 100259C0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CreateFileW                                                        7C810800 5 Bytes  JMP 10025B80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileWithProgressW                                              7C81F72E 5 Bytes  JMP 10025A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileW                                                          7C821261 5 Bytes  JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!OpenFile                                                           7C821982 5 Bytes  JMP 10025BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileExW                                                        7C827B32 7 Bytes  JMP 10025B00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileA                                                          7C8286EE 5 Bytes  JMP 10025B60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileW                                                          7C82F87B 5 Bytes  JMP 10025B40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!DeleteFileA                                                        7C831EDD 5 Bytes  JMP 10025A20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!DeleteFileW                                                        7C831F63 5 Bytes  JMP 10025A00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileExW                                                        7C83568B 5 Bytes  JMP 10025A80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileA                                                          7C835EBF 5 Bytes  JMP 10025AE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileWithProgressA                                              7C835EDE 5 Bytes  JMP 10025A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!MoveFileExA                                                        7C85E49B 5 Bytes  JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!CopyFileExA                                                        7C85F39C 5 Bytes  JMP 10025B20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!WinExec                                                            7C86250D 5 Bytes  JMP 10025960 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] kernel32.dll!LoadModule                                                         7C86261E 5 Bytes  JMP 10025C20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!OpenServiceW                                                       77DE6FFD 7 Bytes  JMP 10026890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateProcessAsUserW                                               77DEA8A9 5 Bytes  JMP 1001F730 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!OpenServiceA                                                       77DF4C66 7 Bytes  JMP 100265F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateProcessAsUserA                                               77E10CE8 5 Bytes  JMP 1001FF40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateServiceA                                                     77E37211 7 Bytes  JMP 10026DE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ADVAPI32.dll!CreateServiceW                                                     77E373A9 7 Bytes  JMP 10026B00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] USER32.dll!EndTask                                                              7E45A0A5 5 Bytes  JMP 10027420 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteExW                                                     7CA0996B 5 Bytes  JMP 100258C0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteEx                                                      7CA40EB5 5 Bytes  JMP 100258E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteA                                                       7CA411E0 5 Bytes  JMP 10025920 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] SHELL32.dll!ShellExecuteW                                                       7CAB5D48 5 Bytes  JMP 10025900 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ole32.dll!CoCreateInstanceEx                                                    77500526 5 Bytes  JMP 100278A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\WINDOWS\system32\NOTEPAD.EXE[2332] ole32.dll!CoGetClassObject                                                      775156C5 5 Bytes  JMP 10027660 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\Documents and Settings\Jon\Desktop\gmer.exe[3132] ntdll.dll!NtAllocateVirtualMemory                                7C90CF6E 5 Bytes  JMP 10025D20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
                  .text           C:\Documents and Settings\Jon\Desktop\gm<

                  SuperDave

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Thanked: 1020
                  • Certifications: List
                  • Experience: Expert
                  • OS: Windows 10
                  Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
                  « Reply #13 on: June 08, 2010, 08:38:55 AM »

                  * Direct download link is here: RootRepeal.zip

                  * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
                  * Click this link to see a list of such programs and how to disable them.

                  * Extract the program file to a new folder such as C:\RootRepeal
                  * Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
                  * Select ALL of the checkboxes and then click OK and it will start scanning your system.
                  * If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
                  * When done, click on Save Report
                  * Save it to the same location where you ran it from, such as C:RootRepeal
                  * Save it as rootrepeal.txt
                  * Then open that log and select all and copy/paste it back on your next reply please.
                  * Close RootRepeal.
                  Windows 8 and Windows 10 dual boot with two SSD's

                  johngetter



                    Hopeful

                  • The Computer Master (Number 2)
                  • Thanked: 5
                  • Certifications: List
                  • Computer: Specs
                  • Experience: Experienced
                  • OS: Windows Vista
                  Re: Rootkit, Winsock Error, Redirected Searches, Task Bar color change
                  « Reply #14 on: June 08, 2010, 03:54:06 PM »
                  Edited.
                  « Last Edit: June 08, 2010, 06:13:47 PM by SuperDave »




                  Call of Duty Player
                  Operation 7 Player
                  Halo Reach Player
                  Acer User

                  I am glad to help you today...Have a Nice Day, From your Friendl