Jump to content

anongeneral

Members
 View Profile  See their activity

  • Posts

    6

  • Joined

  • Last visited

 Content Type 

Posts posted by anongeneral

    Redirect to News 11 Today - Windows Defense Center

    in Resolved Malware Removal Logs

    Posted

    Hello again - thanks for all of your help! here is the mbam log:

    Malwarebytes' Anti-Malware 1.46

    www.malwarebytes.org

    Database version: 4227

    Windows 5.1.2600 Service Pack 3

    Internet Explorer 8.0.6001.18702

    6/22/2010 11:06:08 PM

    mbam-log-2010-06-22 (23-06-08).txt

    Scan type: Quick scan

    Objects scanned: 158266

    Time elapsed: 13 minute(s), 27 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    Redirect to News 11 Today - Windows Defense Center

    in Resolved Malware Removal Logs

    Posted

    Thank you - I have followed your instructions. Attached is the Kaspersky report - I had to run Kaspersky in safe mode because it would freeze up the two times I tried (with Avira active scan disabled) to run it in regular XP. Interestingly, the last time I ran Kaspersky in regular windows XP mode, it found 2 threats across 10 objects prior to freeze up. But in safe mode it only found 1 threat across 4 objects.

    KASPERSKY ONLINE SCANNER 7.0: scan report

    Tuesday, June 22, 2010

    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    Kaspersky Online Scanner version: 7.0.26.13

    Last database update: Tuesday, June 22, 2010 04:52:05

    Records in database: 4309600

    Scan settings

    scan using the following database extended

    Scan archives yes

    Scan e-mail databases yes

    Scan area My Computer

    C:\

    D:\

    L:\

    Scan statistics

    Objects scanned 81404

    Threats found 1

    Infected objects found 4

    Suspicious objects found 0

    Scan duration 03:34:31

    File name Threat Threats count

    C:\WINDOWS\CSC\d2\800003F1 Infected: not-a-virus:AdWare.Win32.Cydoor 2

    C:\WINDOWS\CSC\d5\800017B4 Infected: not-a-virus:AdWare.Win32.Cydoor 2

    Selected area has been scanned.

    Redirect to News 11 Today - Windows Defense Center

    in Resolved Malware Removal Logs

    Posted

    Hello - thank you very much for your help. I have to admit that I already ran ComboFix. Here are the results:

    ComboFix 10-06-17.02 - brian 06/18/2010 0:30.5.1 - x86

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.268 [GMT -7:00]

    Running from: c:\documents and settings\brian\Desktop\ComboFix.exe

    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

    FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

    .

    ((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))

    .

    2010-06-17 15:53 . 2010-06-17 17:14 -------- d-----w- c:\windows\system32\NtmsData

    2010-06-17 15:50 . 2010-06-17 15:50 -------- d-----w- c:\documents and settings\brian\Application Data\Avira

    2010-06-17 05:24 . 2010-06-17 05:28 -------- dc-h--w- c:\windows\ie8

    2010-06-17 02:46 . 2010-06-17 02:47 -------- d-----w- C:\Downloads

    2010-06-16 21:37 . 2010-06-16 21:37 -------- d-----w- c:\program files\ESET

    2010-06-16 21:04 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

    2010-06-16 21:04 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

    2010-06-16 21:04 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

    2010-06-16 21:04 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

    2010-06-16 21:04 . 2010-06-16 21:04 -------- d-----w- c:\program files\Avira

    2010-06-16 21:04 . 2010-06-16 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

    2010-06-15 17:49 . 2010-06-15 17:49 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

    2010-06-15 17:49 . 2010-06-15 17:49 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

    2010-06-15 17:48 . 2010-06-15 17:48 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

    2010-06-15 17:48 . 2010-06-15 17:48 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

    2010-06-15 17:48 . 2010-06-15 17:48 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

    2010-06-15 17:46 . 2010-06-15 17:46 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

    2010-06-15 01:54 . 2010-06-15 01:54 -------- d-----w- C:\VundoFix Backups

    2010-06-14 18:48 . 2010-06-14 18:48 0 ----a-w- c:\windows\Agalunir.bin

    2010-06-14 18:48 . 2010-06-14 18:48 120 ----a-w- c:\windows\Ynokuvelikolakef.dat

    2010-06-08 20:39 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

    2010-05-26 17:09 . 2009-12-14 14:57 213504 ----a-w- c:\documents and settings\brian\Application Data\Thunderbird\Profiles\cr6kz2g6.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll

    2010-05-26 05:23 . 2010-06-15 17:49 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

    2010-05-26 05:22 . 2010-06-15 17:46 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

    2010-05-26 05:22 . 2010-06-15 17:41 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

    2010-05-26 05:22 . 2009-11-23 19:41 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Web Player\DivXWebPlayerUninstall.exe

    2010-05-26 05:22 . 2009-11-23 19:41 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Player\DivXPlayerUninstall.exe

    2010-05-26 05:22 . 2009-11-23 19:40 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe

    2010-05-26 05:22 . 2009-11-23 19:41 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe

    2010-05-26 05:22 . 2010-05-26 05:22 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe

    2010-05-26 05:22 . 2010-05-26 05:22 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe

    2010-05-26 05:22 . 2010-05-26 05:22 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe

    2010-05-26 05:22 . 2010-05-26 05:22 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe

    2010-05-26 05:22 . 2010-05-26 05:22 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe

    2010-05-26 05:21 . 2010-05-26 05:21 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

    2010-05-26 05:21 . 2010-05-26 05:21 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

    2010-05-26 05:20 . 2010-05-26 05:20 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

    2010-05-26 05:20 . 2010-05-26 05:20 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

    2010-05-26 05:15 . 2010-06-15 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

    2010-05-23 07:59 . 2010-05-23 07:59 -------- d-----w- c:\program files\NOS

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2010-06-18 07:41 . 2009-03-18 20:08 -------- d-----w- c:\documents and settings\brian\Application Data\Skype

    2010-06-18 07:07 . 2009-03-18 20:13 -------- d-----w- c:\documents and settings\brian\Application Data\skypePM

    2010-06-18 05:51 . 2009-09-05 16:30 -------- d-----w- c:\documents and settings\brian\Application Data\uTorrent

    2010-06-18 03:42 . 2010-04-05 18:56 -------- d-----w- c:\program files\Mozilla Thunderbird

    2010-06-17 21:02 . 2009-04-06 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

    2010-06-17 02:58 . 2004-08-11 23:00 8832 ----a-w- c:\windows\system32\drivers\RasAcd.sys

    2010-06-17 00:02 . 2009-04-06 17:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

    2010-06-16 20:18 . 2006-09-01 18:42 -------- d-----w- c:\program files\Trend Micro

    2010-06-15 17:49 . 2009-06-07 08:29 -------- d-----w- c:\program files\Common Files\DivX Shared

    2010-06-15 17:49 . 2009-03-06 05:52 -------- d-----w- c:\program files\DivX

    2010-06-14 21:49 . 2010-06-14 21:49 5058 ----a-w- c:\windows\Help\hhcolreg.dat

    2010-06-14 19:10 . 2009-04-14 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2010-06-04 03:59 . 2009-05-10 06:57 -------- d-----w- c:\program files\Microsoft Silverlight

    2010-05-23 08:03 . 2010-01-15 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

    2010-05-15 01:41 . 2009-09-05 16:31 -------- d-----w- c:\program files\uTorrent

    2010-05-06 10:41 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

    2010-05-02 05:22 . 2004-08-11 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys

    2010-04-29 22:39 . 2009-04-14 20:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2010-04-29 22:39 . 2009-04-14 20:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    2010-04-27 03:22 . 2010-04-27 03:22 -------- d-----w- c:\program files\Common Files\Skype

    2010-04-26 23:37 . 2009-05-26 23:54 -------- d-----w- c:\documents and settings\brian\Application Data\gtk-2.0

    2010-04-20 05:30 . 2004-08-11 23:00 285696 ----a-w- c:\windows\system32\atmfd.dll

    2009-09-13 07:05 . 2009-09-13 07:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

    2009-09-13 07:06 . 2009-09-13 07:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

    2009-09-13 07:06 . 2009-09-13 07:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

    2009-09-13 07:06 . 2009-09-13 07:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

    2009-09-13 07:06 . 2009-09-13 07:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

    2009-09-13 07:07 . 2009-09-13 07:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

    2009-09-13 07:06 . 2009-09-13 07:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

    2009-09-13 07:06 . 2009-09-13 07:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

    2009-08-14 21:33 . 2009-08-14 21:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

    2009-09-13 07:06 . 2009-09-13 07:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

    .

    ((((((((((((((((((((((((((((( SnapShot_2010-06-17_17.52.30 )))))))))))))))))))))))))))))))))))))))))

    .

    + 2010-06-18 02:45 . 2010-06-18 02:45 16384 c:\windows\temp\Perflib_Perfdata_9dc.dat

    + 2010-06-18 02:42 . 2010-06-18 02:42 16384 c:\windows\temp\Perflib_Perfdata_520.dat

    + 2010-06-17 23:23 . 2009-05-26 11:40 17272 c:\windows\ie8updates\KB981332-IE8\spmsg.dll

    + 2010-06-17 23:23 . 2009-05-26 11:40 26488 c:\windows\ie8updates\KB981332-IE8\spcustom.dll

    + 2010-06-17 23:23 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB976662-IE8\spmsg.dll

    + 2010-06-17 23:23 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB976662-IE8\spcustom.dll

    + 2010-06-17 23:22 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB971961-IE8\spmsg.dll

    + 2010-06-17 23:22 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB971961-IE8\spcustom.dll

    - 2004-08-11 23:00 . 2009-03-08 11:33 420352 c:\windows\system32\vbscript.dll

    + 2004-08-11 23:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll

    - 2004-08-11 23:00 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll

    + 2004-08-11 23:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll

    - 2008-05-09 10:53 . 2009-03-08 11:33 420352 c:\windows\system32\dllcache\vbscript.dll

    + 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll

    + 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll

    - 2008-05-09 10:53 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll

    + 2010-06-17 23:23 . 2009-03-08 11:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll

    + 2010-06-17 23:23 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\updspapi.dll

    + 2010-06-17 23:23 . 2009-05-26 11:40 755576 c:\windows\ie8updates\KB981332-IE8\update.exe

    + 2010-06-17 23:23 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll

    + 2010-06-17 23:23 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe

    + 2010-06-17 23:23 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst.exe

    + 2010-06-17 23:23 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\updspapi.dll

    + 2010-06-17 23:23 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB976662-IE8\update.exe

    + 2010-06-17 23:23 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll

    + 2010-06-17 23:23 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe

    + 2010-06-17 23:23 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst.exe

    + 2010-06-17 23:23 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll

    + 2010-06-17 23:22 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\updspapi.dll

    + 2010-06-17 23:22 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB971961-IE8\update.exe

    + 2010-06-17 23:22 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll

    + 2010-06-17 23:22 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe

    + 2010-06-17 23:22 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst.exe

    + 2010-06-17 23:22 . 2009-03-08 11:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

    "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]

    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-11 339968]

    "DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]

    "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]

    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

    c:\documents and settings\dennis\Start Menu\Programs\Startup\

    DesktopConnector.lnk - c:\program files\Extended Systems\DesktopConnector.exe [2005-6-22 303104]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-12-23 82026]

    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-10 24576]

    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

    Online plug-in.lnk - c:\windows\Installer\{B8A2256E-6225-4D9E-B1C9-C26CA1E22FEB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2010-1-8 73728]

    Printkey.lnk - C:\Printkey.exe [2004-12-16 589824]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logoff\0\0]

    "Script"=c:\windows\CTXDEFPRNT-logoff.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logoff\1\0]

    "Script"=c:\windows\CTXDEFPRNT-logoff.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logon\0\0]

    "Script"=c:\windows\CTXDEFPRNT-logon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logon\1\0]

    "Script"=\\%USERDNSDOMAIN%\sysvol\lcpartners.com\scripts\LCP_GB_LOGON.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logon\2\0]

    "Script"=c:\windows\CTXDEFPRNT-logon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logoff\0\0]

    "Script"=c:\windows\CTXDEFPRNT-logoff.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logoff\1\0]

    "Script"=c:\windows\CTXDEFPRNT-logoff.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logon\0\0]

    "Script"=c:\windows\CTXDEFPRNT-logon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logon\1\0]

    "Script"=\\%USERDNSDOMAIN%\sysvol\lcpartners.com\scripts\LCP_GB_LOGON.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logon\2\0]

    "Script"=c:\windows\CTXDEFPRNT-logon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logoff\0\0]

    "Script"=c:\windows\CTXDEFPRNT-logoff.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logoff\1\0]

    "Script"=c:\windows\CTXDEFPRNT-logoff.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logon\0\0]

    "Script"=c:\windows\CTXDEFPRNT-logon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logon\1\0]

    "Script"=c:\windows\CTXDEFPRNT-logon.exe

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

    backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

    2004-05-17 02:18 528384 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eCopy Desktop Printer Service]

    2001-08-02 17:28 136512 ----a-w- c:\progra~1\eCopy\Desktop\PCLprint\mrmlnc32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Program Files\\Extended Systems\\DesktopConnector.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

    "AllowInboundEchoRequest"= 1 (0x1)

    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 7:13 PM 65584]

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/16/2010 2:04 PM 135336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    getPlusHelper REG_MULTI_SZ getPlusHelper

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://google.com/

    IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

    FF - ProfilePath - c:\documents and settings\brian\Application Data\Mozilla\Firefox\Profiles\cuhnk2dn.default\

    FF - plugin: c:\documents and settings\brian\Application Data\Move Networks\plugins\npqmp071503000010.dll

    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

    ef", true);

    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2010-06-18 00:41

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(880)

    c:\windows\System32\BCMLogon.dll

    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1712)

    c:\windows\system32\WININET.dll

    c:\windows\system32\ieframe.dll

    c:\windows\system32\webcheck.dll

    c:\windows\system32\WPDShServiceObj.dll

    c:\windows\system32\PortableDeviceTypes.dll

    c:\windows\system32\PortableDeviceApi.dll

    .

    Completion time: 2010-06-18 00:46:57

    ComboFix-quarantined-files.txt 2010-06-18 07:46

    ComboFix2.txt 2010-06-17 17:56

    ComboFix3.txt 2010-06-17 04:16

    ComboFix4.txt 2010-06-16 19:35

    ComboFix5.txt 2010-06-18 07:27

    Pre-Run: 8,953,700,352 bytes free

    Post-Run: 8,939,462,656 bytes free

    - - End Of File - - CA64E8219F04D7AE5F5D4A188510F3DC

    Redirect to News 11 Today - Windows Defense Center

    in Resolved Malware Removal Logs

    Posted

    And here is the DDS log - any help at all would be much appreciated!:

    DDS (Ver_10-03-17.01) - NTFSx86

    Run by brian at 13:44:48.04 on Wed 06/16/2010

    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.169 [GMT -7:00]

    AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

    FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost -k DcomLaunch

    svchost.exe

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    svchost.exe

    C:\WINDOWS\system32\basfipm.exe

    C:\Program Files\Java\jre6\bin\jqs.exe

    C:\WINDOWS\System32\svchost.exe -k HPZ12

    C:\WINDOWS\System32\svchost.exe -k HPZ12

    C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    C:\WINDOWS\system32\SearchIndexer.exe

    C:\WINDOWS\System32\bcmwltry.exe

    C:\Program Files\Citrix\ICA Client\ssonsvr.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\explorer.exe

    C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE

    C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE

    C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE

    C:\WINDOWS\system32\SearchProtocolHost.exe

    C:\Documents and Settings\brian\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

    uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

    uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"

    uRun: [skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized

    mRun: [Apoint] c:\program files\apoint\Apoint.exe

    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

    mRun: [DVDSentry] c:\windows\system32\DSentry.exe

    mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

    mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

    dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\online~1.lnk - c:\windows\installer\{b8a2256e-6225-4d9e-b1c9-c26ca1e22feb}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printkey.lnk - c:\Printkey.exe

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://utility1:4343/officescan/console/ClientInstall/WinNTChk.cab

    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

    DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://utility1:4343/officescan/console/ClientInstall/setup.cab

    DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://utility1:4343/officescan/console/ClientInstall/RemoveCtrl.cab

    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

    Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll

    Notify: AtiExtEvent - Ati2evxx.dll

    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\cuhnk2dn.default\

    FF - plugin: c:\documents and settings\brian\application data\move networks\plugins\npqmp071503000010.dll

    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----

    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

    ef", true);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

    =============== Created Last 30 ================

    2010-06-16 19:11:07 0 d-sha-r- C:\cmdcons

    2010-06-16 03:23:20 98816 ----a-w- c:\windows\sed.exe

    2010-06-16 03:23:20 77312 ----a-w- c:\windows\MBR.exe

    2010-06-16 03:23:20 256512 ----a-w- c:\windows\PEV.exe

    2010-06-16 03:23:20 161792 ----a-w- c:\windows\SWREG.exe

    2010-06-15 01:54:35 0 d-----w- C:\VundoFix Backups

    2010-06-14 23:14:26 135 ----a-w- c:\windows\wininit.ini

    2010-06-14 21:50:08 63 ----a-w- c:\windows\mdm.ini

    2010-06-14 18:48:15 0 ----a-w- c:\windows\Agalunir.bin

    2010-06-14 18:48:14 120 ----a-w- c:\windows\Ynokuvelikolakef.dat

    2010-06-08 20:39:10 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

    2010-05-26 05:15:27 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX

    ==================== Find3M ====================

    2010-05-06 10:41:53 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

    2010-05-06 10:41:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

    2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

    2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

    2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

    2010-04-06 11:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll

    2009-03-09 17:03:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030920090310\index.dat

    ============= FINISH: 13:46:46.54 ===============

    Redirect to News 11 Today - Windows Defense Center

    in Resolved Malware Removal Logs

    Posted

    Just got slammed by the Windows Defense Center malware. I removed much of it with MBAM, but both internet explorer and firefox continue to be plagued by redirects to various sites, including one called News 11 Today.

    I have run malwarebytes in safe mode with networking several times - no more malware is being detected at this point. But my redirect problems persist, so I am posting my hyjackthis log for your consideration. Any help would be appreciated:

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 1:19:44 PM, on 6/16/2010

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.6000.16827)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\basfipm.exe

    C:\Program Files\Java\jre6\bin\jqs.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    C:\WINDOWS\system32\SearchIndexer.exe

    C:\WINDOWS\System32\bcmwltry.exe

    C:\Program Files\Citrix\ICA Client\ssonsvr.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\explorer.exe

    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

    C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE

    C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE

    C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    C:\WINDOWS\system32\SearchProtocolHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe

    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

    O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup

    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    O4 - HKCU\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe"

    O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O4 - Global Startup: Online plug-in.lnk = ?

    O4 - Global Startup: Printkey.lnk = C:\Printkey.exe

    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://utility1:4343/officescan/console/Cl...ll/WinNTChk.cab

    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://utility1:4343/officescan/console/Cl...stall/setup.cab

    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://utility1:4343/officescan/console/Cl.../RemoveCtrl.cab

    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcpartners.com

    O17 - HKLM\Software\..\Telephony: DomainName = lcpartners.com

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcpartners.com

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcpartners.com

    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --

    End of file - 6909 bytes

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.