Google Search Redirect

steve12 · October 8, 2009

Hi,

When clicking on a link from a search result in Google I am taken to different unknow sites. For example, here is what I got when clicking on a search result for Malwarebytes......http://thecancerconspiracy.com/search.php. If I go back to the search page again it will give me another/different unknow site.

I ran Malwarebytes in Safe mode and it came up clean...in regular mode it gets stuck on desktop.ini.

Superantispyware scan also was clean as wA Spybot and Eset online scan. Kaspersky online scanner gets stuck. I downloaded the free version of it and a quick scan came up clean.

Any help would be greatly appreciated. Thanks.

GT500 · October 12, 2009

Please download RSIT from the link below, run it with the default options, and attach the 'log' and 'info' files to a reply:

http://images.malwareremoval.com/random/RSIT.exe

steve12 · October 12, 2009

My daughters laptop on the wireless network seems to also be affected?! Read on the net that sometimes the router needs to be reset/purged with this type of virus?!?!?

Here are my logs, and thanks a million!!

Logfile of random's system information tool 1.06 (written by random/random)

Run by Beatrice at 2009-10-12 10:08:11

Microsoft Windows XP Professional Service Pack 2

System drive C: has 599 MB (2%) free of 35 GB

Total RAM: 512 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:00 AM, on 10/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe

C:\Program Files\Dell Photo AIO Printer 926\memcard.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Google\ggviewer81-53.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\dlcxcoms.exe

C:\Program Files\Eraser\eraser.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe

C:\Documents and Settings\Beatrice\My Documents\1 A Brad\Google Search Virus\RSIT.exe

C:\Program Files\trend micro\Beatrice.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Save - Flash - Player - {58112A01-1F24-4EFE-A6B2-297DC7CDFEF2} - C:\PROGRA~1\ycysoft\SAVEFL~1\IEFLAS~1.DLL (file missing)

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s

O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"

O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

--

End of file - 8753 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

C:\WINDOWS\tasks\ParetoLogic Registration.job

C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]

Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2008-10-14 130248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]

IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll [2009-07-03 68112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-09-24 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-10 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-06 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]

Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-09-10 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-24 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E33CF602-D945-461A-83F0-819F76A199F8}]

FilterBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll [2009-10-07 264720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-09-24 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{58112A01-1F24-4EFE-A6B2-297DC7CDFEF2} - Save - Flash - Player - C:\PROGRA~1\ycysoft\SAVEFL~1\IEFLAS~1.DLL []

{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll [2008-10-14 437368]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-10 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]

"FaxCenterServer"=C:\Program Files\Dell PC Fax\fm3032.exe [2006-06-15 307200]

"dlcxmon.exe"=C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe [2006-06-14 286720]

"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 926\memcard.exe [2006-06-27 299008]

"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup []

"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]

"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-06-25 185896]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]

"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-24 149280]

"DLCXCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16 []

"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe [2009-07-03 303376]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

"NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2004-07-26 1867776]

"Aim6"= []

"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-09-04 39408]

"Eraser"=C:\Program Files\Eraser\eraser.exe [2003-07-25 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

C:\Program Files\Eraser\eraser.exe [2003-07-25 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-04-06 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]

C:\WINDOWS\system32\klogon.dll [2009-07-03 219664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\WINDOWS\system32\usmt\migwiz.exe"="C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"

"C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe"="C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe:*:Enabled:SonicWALL Global VPN Client"

"C:\Program Files\SmartFTP\SmartFTP.exe"="C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP"

"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"

"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"

"C:\Program Files\Common Files\AOL\1140457287\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1140457287\ee\aolsoftware.exe:*:Enabled:AOL Services"

"C:\Program Files\Common Files\AOL\1140457287\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1140457287\ee\aim6.exe:*:Enabled:AIM"

"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"

"C:\Program Files\TVU Player\TVUPlayer.exe"="C:\Program Files\TVU Player\TVUPlayer.exe:*:Enabled:TVUPlayer"

"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"

"C:\WINDOWS\system32\dlcxcoms.exe"="C:\WINDOWS\system32\dlcxcoms.exe:*:Enabled:Lexmark Communications System"

"C:\Program Files\CoreFTP\coreftp.exe"="C:\Program Files\CoreFTP\coreftp.exe:*:Enabled:Core FTP App"

"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"

"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"

"C:\Program Files\Pando Networks\Pando\pando.exe"="C:\Program Files\Pando Networks\Pando\pando.exe:*:Enabled:Pando Application"

"C:\Program Files\eJamming\eJammingAUDiiO\eJammingAUDiiO.exe"="C:\Program Files\eJamming\eJammingAUDiiO\eJammingAUDiiO.exe:*:Enabled:eJammingAUDiiO"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"

"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:

GT500 · October 12, 2009

Step 1

I have attached a file to this message called AvengerScript.txt which you should save on your desktop. After saving AvengerScript.txt, please download The Avenger from the following link:

http://swandog46.geekstogo.com/avenger2/download.php

AvengerScript.txt

Use The Avenger to open the AvengerScript text file that you saved on your desktop, and then click the 'Execute' button in The Avenger. It will restart your computer, and use the information in AvengerScript.txt to clean up your computer a bit.

Please refer to the following screenshot for the location of the 'Open' button:

After running The Avenger, please attach the log to a reply so that I know if it did it's job right.

Step 2

Update Malwarebytes' Anti-Malware and run a scan with Windows booted normally. You may need to add the following files to the exclusions list in your anti-virus:

C:\WINDOWS\system32\drivers\mbam.sys
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Please remove anything that Malwarebytes' Anti-Malware finds, and attach the log to a reply.

Step 3

Reset your router just in case. Make sure that you write down all of the settings in your router that you will need to replace after it has been reset. If you do not know how to do this, then give me the make and model of the router and I will try to put together some instructions.

Also note that another common form of infection is for malware to spread using Windows File Sharing (even if it isn't set up). This allows one infected computer on your network to infect every other computer on your network. If you do not share files over a Windows network, then you may want to check and see if your router has a setting called "AP Isolation" which should prevent the computers connected to the router from seeing each other, and thus prevent malware from spreading in that fashion.

Step 4

Download RootRepeal from the link below, and extract it onto your desktop:

http://ad13.geekstogo.com/RootRepeal.zip

Run RootRepeal, click the 'Scan' button in the lower-left corner, and when it's done click the "Save Report" button in the lower-right corner. Attach that report to a reply.

steve12 · October 12, 2009

I received the following error when trying to execute Avenger after opening script as per your instructions:

Error: Invalid script.A valid script must begin with a command directive.

Aborting execution!

GT500 · October 13, 2009

OK, we'll try this a little differently. Copy the text inside the following code box into the white box in The Avenger, and then click the 'Execute' button:

Drivers to delete:
MEMSWEEP2

Files to delete:
C:\WINDOWS\system32\7D7.tmp

steve12 · October 13, 2009

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)

Mon Oct 12 15:44:13 2009

15:44:13: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)

Mon Oct 12 15:44:39 2009

15:44:39: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)

Mon Oct 12 15:46:12 2009

15:46:12: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Driver "MEMSWEEP2" deleted successfully.

Error: file "C:\WINDOWS\system32\7D7.tmp" not found!

Deletion of file "C:\WINDOWS\system32\7D7.tmp" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

GT500 · October 13, 2009

OK, it looks like the silly thing finally did it's job.

Do you have the logs from Malwarebytes' Anti-Malware and RootRepeal?

steve12 · October 13, 2009

RootRepeal keeps crashing my PC...never really gets running. 3rd try gave me a blue screen of death.

I'll run Malwarebytes now and post the log.

GT500 · October 13, 2009

I'll run Malwarebytes now and post the log.

OK.

steve12 · October 13, 2009

Malwarebytes keeps crashing before finishing. Last try it ran for 4 plus hours for Quick Scan and then got hung up.....

So, I can't produce a log....

GT500 · October 14, 2009

OK, we're going to need to dig a little deeper. Please download ComboFix from the link below, save it on your desktop, run it, and attach the log to a reply:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

steve12 · October 14, 2009

ComboFix 09-10-13.01 - Beatrice 10/13/2009 23:39.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.284 [GMT -4:00]

Running from: c:\documents and settings\Beatrice\Desktop\ComboFix.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Hacker *disabled* {0BB8CA15-F396-46C7-9A59-108D852CFEC0}

.

ADS - netcfgx.dll: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\AskSearch\bin\DefaultSearch.dll

c:\windows\desktop

c:\windows\Downloaded Program Files\bdcore.dll

c:\windows\Downloaded Program Files\libfn.dll

c:\windows\Readme.txt

c:\windows\system32\open.ico

Infected copy of c:\windows\system32\drivers\ultra.sys was found and disinfected

Restored copy from - Kitty ate it :^)

.

((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))

.

2009-10-12 14:08 . 2009-10-12 14:09 -------- d-----w- c:\program files\trend micro

2009-10-12 14:08 . 2009-10-12 14:09 -------- d-----w- C:\rsit

2009-10-12 04:17 . 2009-10-12 04:49 -------- d-----w- c:\program files\Common Files\ParetoLogic

2009-10-12 04:17 . 2009-10-12 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-10-12 04:16 . 2009-10-12 04:16 -------- d-----w- c:\documents and settings\Beatrice\Local Settings\Application Data\Downloaded Installations

2009-10-11 02:52 . 2009-10-11 02:52 -------- d-----w- c:\program files\Sophos

2009-10-08 00:40 . 2009-10-08 00:40 -------- d-----w- c:\program files\SpywareBlaster

2009-10-07 11:51 . 2009-10-07 11:51 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat

2009-10-07 11:50 . 2009-10-07 11:55 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-10-07 11:50 . 2009-10-07 11:55 107547 ----a-w- c:\windows\system32\drivers\klin.dat

2009-10-07 11:48 . 2009-10-14 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-10-07 11:08 . 2009-10-07 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-10-06 19:25 . 2009-10-06 19:25 -------- d-----w- c:\program files\ESET

2009-10-06 15:56 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-06 15:56 . 2009-10-06 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-06 15:56 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-06 05:32 . 2009-10-06 05:32 -------- d-----w- c:\documents and settings\Bumblebea\Application Data\Malwarebytes

2009-09-29 21:27 . 2009-09-29 21:27 -------- d-----w- c:\documents and settings\Michy\Application Data\AdobeUM

2009-09-29 21:25 . 2009-09-29 21:27 -------- d-----w- c:\documents and settings\Michy\Local Settings\Application Data\Adobe

2009-09-29 21:18 . 2009-09-29 21:18 -------- d-----w- c:\documents and settings\Michy\Local Settings\Application Data\WMTools Downloaded Files

2009-09-29 21:18 . 2009-09-29 21:18 -------- d-----w- c:\documents and settings\Michy\Application Data\Malwarebytes

2009-09-29 16:13 . 2009-09-29 16:25 -------- d-----w- c:\program files\VideoSpirit Pro

2009-09-26 19:32 . 2009-09-26 19:32 286720 ----a-w- c:\windows\iun505.exe

2009-09-26 19:32 . 2009-09-26 19:32 -------- d-----w- c:\program files\PC Drummer Trial Edition

2009-09-25 17:00 . 2009-09-25 17:00 -------- d-----w- c:\program files\HammerHead

2009-09-25 03:10 . 2009-09-25 03:10 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Malwarebytes

2009-09-25 03:10 . 2009-09-25 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-25 03:06 . 2009-09-25 03:05 411368 ----a-w- c:\windows\system32\deploytk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-14 04:15 . 2007-04-15 19:31 -------- d-----w- c:\program files\dl_cats

2009-10-14 03:26 . 2009-05-26 01:41 -------- d-----w- c:\program files\Eraser

2009-10-11 14:24 . 2005-03-30 15:04 -------- d-----w- c:\program files\hjt

2009-10-07 11:48 . 2005-09-06 13:36 -------- d-----w- c:\program files\Kaspersky Lab

2009-10-07 01:15 . 2005-08-21 17:30 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2009-10-06 22:57 . 2006-06-28 20:27 -------- d-----w- c:\program files\TVU Player

2009-10-06 05:20 . 2008-12-09 15:21 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-30 00:59 . 2008-05-19 17:34 -------- d-----w- c:\documents and settings\Beatrice\Application Data\Orbit

2009-09-29 21:27 . 2009-02-20 15:33 -------- d-----w- c:\documents and settings\Michy\Application Data\Orbit

2009-09-29 02:17 . 2005-03-19 19:45 33872 ----a-w- c:\documents and settings\Beatrice\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-25 12:48 . 2008-12-09 03:06 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-09-25 04:06 . 2005-03-20 17:48 -------- d-----w- c:\program files\Java

2009-09-24 02:18 . 2008-05-02 23:10 -------- d-----w- c:\program files\The Learning Company

2009-09-20 13:20 . 2009-08-19 01:07 -------- d-----w- c:\documents and settings\Beatrice\Application Data\uTorrent

2009-09-09 04:26 . 2009-09-09 03:05 -------- d-----w- c:\documents and settings\Beatrice\Application Data\ICAClient

2009-09-09 03:05 . 2009-09-09 03:05 -------- d-----w- c:\program files\Citrix

2009-09-05 22:17 . 2007-05-07 12:48 -------- d-----w- c:\documents and settings\Beatrice\Application Data\CoreFTP

2009-09-02 13:01 . 2009-09-02 13:01 86016 ----a-w- c:\windows\system32\DirShowEXDD.dll

2009-08-19 01:07 . 2009-08-19 01:07 -------- d-----w- c:\program files\AskSearch

2009-08-06 23:24 . 2004-08-03 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2004-08-03 18:59 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2005-08-05 17:40 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2004-08-03 18:59 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2005-03-19 17:15 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2001-08-23 15:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2004-08-03 19:00 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2005-03-19 17:15 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:11 . 2001-08-23 15:00 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-07-17 18:55 . 2001-08-23 15:00 58880 ----a-w- c:\windows\system32\atl.dll

2005-08-15 16:21 . 2005-08-15 16:21 13500200 ----a-w- c:\program files\kav5.0trial_personalen.exe

2008-12-19 17:52 . 2006-02-12 15:11 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 17:52 . 2006-02-12 15:11 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 17:52 . 2007-08-10 13:02 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 17:52 . 2007-08-10 13:02 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 17:52 . 2006-02-12 15:11 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2007-04-16 02:29 . 2007-04-16 00:52 56 --sh--r- c:\windows\system32\05A597BF8C.sys

2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll

2007-04-16 02:29 . 2007-04-16 00:52 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 1867776]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-05 39408]

"Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-06-15 307200]

"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-06-14 286720]

"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-06-27 299008]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-26 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-25 149280]

"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 106496]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-20 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-04-06 16:25 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiHacker]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\TVU Player\\TVUPlayer.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\dlcxcoms.exe"=

"c:\\Program Files\\CoreFTP\\coreftp.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57462:TCP"= 57462:TCP:Pando P2P TCP Listening Port

"57462:UDP"= 57462:UDP:Pando P2P UDP Listening Port

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/12/2007 3:58 PM 10240]

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [7/13/2005 11:31 AM 78032]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 55024]

R3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]

R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [7/13/2005 11:27 AM 23180]

R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [3/19/2005 8:01 AM 747392]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/7/2009 10:21 PM 133104]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]

S3 WipeFile;WipeFile;c:\windows\system32\drivers\WipeFile.sys [3/3/2007 7:20 PM 57472]

.

Contents of the 'Scheduled Tasks' folder

2009-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-08 02:21]

2009-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-08 02:21]

2009-10-14 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.optonline.net/Home

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://www.msn.com

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - c:\documents and settings\Beatrice\Application Data\Mozilla\Firefox\Profiles\ob3clmij.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

AddRemove-Arthur's Birthday - c:\program files\Living Books\DeIsL1.isu

AddRemove-Convert XLS_is1 - c:\program files\Softinterface

AddRemove-Finale NotePad 2005a - c:\windows\unvise32.exe

AddRemove-RollerCoaster Tycoon Setup - c:\windows\UniFish3.exe

AddRemove-TVUPlayer - c:\program files\TVU Player\uninst.exe

AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-14 00:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1856)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3096)

c:\progra~1\Google\GGTASK~1.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\WgaTray.exe

c:\windows\system32\dlcxcoms.exe

c:\program files\Google\ggviewer81-53.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-10-14 0:26 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-14 04:26

Pre-Run: 241,811,456 bytes free

Post-Run: 565,919,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

266 --- E O F --- 2009-09-10 03:54

GT500 · October 14, 2009

I have attached a file to this message called CFScript.txt which will tell ComboFix how to remove some of the bad things I saw in your ComboFix log. Please save CFScript onto your desktop, and then download a fresh copy of ComboFix from the link below, and make sure to save it on your desktop as well. Once you have both CFScript and ComboFix saved to your desktop, hold down the left mouse button on top of the icon for CFScript, and drag it on top of the ComboFix icon, and then let go. This should start ComboFix again. Make sure, when it finishes, to attach the new log to a reply so that I can verify that it deleted what it was supposed to.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

CFScript.txt

steve12 · October 14, 2009

ComboFix 09-10-14.01 - Beatrice 10/14/2009 16:29.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.234 [GMT -4:00]

Running from: c:\documents and settings\Beatrice\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Beatrice\Desktop\CFScript.txt