Jump to content

Virus causing IE and Firefox to redirect to ...search.php and crashes Chrome and MS Outlook


Recommended Posts

Hi guys,

I have been going nuts trying to remove this virus.

Here are the symptoms:

-IE and Firefox are redirected to various website's search.php pages (ie. www.variousnames/search.php). This happens mostly when clicking links from Google searches. Note: if absolute url addresses are used, the redirect does not occur.

-Random pop-ups if browser is open (various websites opening in a new window).

-MS Outlook randomly crashes.

-Certain MS Outlook can't be accessed.

-Redirect occurs even in safe mode.

-windows update can not be accessed.

-windows defender update can not be done automatically.

Troubleshooting performed:

Ran full scan with:

-Windows Defender (with manual definition updates)

-Antivir Antivirus (in safe mode)

-Malware-Bytes (in safe mode)

-Uninstalled Java JRE 1.5 and installed 1.6

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:28:37 PM, on 6/14/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\dellxpm09b_6159v043\wdm\stacsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Proxy Networks\PROXY Pro Host\phsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\TEMP\OJ1EA5.EXE

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Calabrio\WFO_QM\bin\sqmservice.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Proxy Networks\PROXY Pro Host\PhSession.exe

C:\Program Files\Proxy Networks\PROXY Pro Host\PhTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WebEx\Productivity Tools\PTIM.exe

C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\WebEx\Productivity Tools\ptSrv.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Microsoft Office Communicator\communicator.exe

C:\Program Files\Cisco\Desktop\bin\agent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\CCleaner\ccleaner.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\phaxayr\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://loop/tiki/tiki-index.php?page=HomePage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?cli...1=7&p2=tour

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll

O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe" /mode2

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PTIM.exe] C:\Program Files\WebEx\Productivity Tools\PTIM.exe

O4 - HKCU\..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe /AutoRunning="2"

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://calabrio.webex.com/client/upgradese...776/ieatgpc.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Calabrio.ld

O17 - HKLM\Software\..\Telephony: DomainName = Calabrio.ld

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Calabrio.ld

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Quality Management Desktop Recording Service (ciCqmRecord) - Calabrio Inc. - C:\Program Files\Calabrio\WFO_QM\bin\sqmservice.exe

O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt (file missing)

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PROXY Pro Host Service (ProxyHostService) - Proxy Networks, Inc. - C:\Program Files\Proxy Networks\PROXY Pro Host\phsvc.exe

O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\dellxpm09b_6159v043\wdm\stacsv.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 16139 bytes

Thank you very much for your help!!

Link to post
Share on other sites

Hi,

MBAM Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4198

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/14/2010 9:01:10 PM

mbam-log-2010-06-14 (21-01-10).txt

Scan type: Quick scan

Objects scanned: 159227

Time elapsed: 25 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by phaxayr at 17:41:24.06 on Mon 06/14/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2622 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {4DA48831-A43A-4472-9925-4A0F5DA9EB47}

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\dellxpm09b_6159v043\wdm\stacsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Proxy Networks\PROXY Pro Host\phsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\TEMP\KF347.EXE

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Calabrio\WFO_QM\bin\sqmservice.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Proxy Networks\PROXY Pro Host\PhSession.exe

C:\Program Files\Proxy Networks\PROXY Pro Host\PhTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WebEx\Productivity Tools\PTIM.exe

C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe

C:\Program Files\WebEx\Productivity Tools\ptSrv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\phaxayr\Local Settings\Temporary Internet Files\Content.IE5\BI3M5DD4\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://loop/tiki/tiki-index.php?page=HomePage

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [PTIM.exe] c:\program files\webex\productivity tools\PTIM.exe

uRun: [PTOneClick] c:\program files\webex\productivity tools\ptoneclk.exe /AutoRunning="2"

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDellB.exe" /mode2

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: c:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: intuit.com\ttlc

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://calabrio.webex.com/client/upgradeserver/client/ptool/T27L10NSP11EP9-4776/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: ckpNotify - ckpNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phaxayr\applic~1\mozilla\firefox\profiles\343ql3un.default\

FF - component: c:\documents and settings\phaxayr\application data\mozilla\firefox\profiles\343ql3un.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - component: c:\program files\webex\productivity tools\components\ocff.dll

FF - plugin: c:\documents and settings\phaxayr\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-8 64288]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-8 11608]

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-4-1 2234320]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-8 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-8 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-8 60936]

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2007-9-6 35692]

R2 ciCqmRecord;Quality Management Desktop Recording Service;c:\program files\calabrio\wfo_qm\bin\sqmservice.exe [2010-2-17 1966080]

R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2010-4-1 36400]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]

R2 QMPD;Quality Management Packet Driver;c:\windows\system32\drivers\qmpd.sys [2009-6-30 19712]

R2 SPCD;Spanlink Packet Capture Driver;c:\windows\system32\drivers\spcd.sys [2008-8-25 18048]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2007-12-21 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2007-12-21 36368]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2010-4-1 109072]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-4-1 671408]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-9 112512]

R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2008-12-30 12840]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-12-30 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-12-9 240344]

R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-12-9 144672]

R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-12-9 277504]

R3 ProxyHostInputFilter;PROXY Pro Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [2010-1-13 14416]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]

S3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2008-12-9 148056]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-11-30 652552]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-06-14 21:06:10 0 d-----w- c:\program files\CCleaner

2010-06-10 17:01:02 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-10 15:16:35 0 d-----w- c:\windows\system32\NtmsData

2010-06-09 16:52:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-09 06:16:21 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-09 06:09:17 0 d-----w- c:\docume~1\phaxayr\applic~1\Avira

2010-06-09 03:41:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-09 03:41:31 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-09 03:30:58 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-09 03:30:47 0 d-----w- c:\program files\Lavasoft

2010-06-09 03:08:15 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-06-09 03:08:14 0 d-----w- c:\program files\Avira

2010-06-09 03:08:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-06-07 23:09:30 0 d-----w- c:\docume~1\phaxayr\applic~1\Malwarebytes

2010-06-07 23:09:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 23:09:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-07 23:09:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-07 23:09:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 19:09:55 0 d-----w- c:\docume~1\phaxayr\applic~1\Foxit Software

2010-06-02 00:42:31 0 d-----w- c:\docume~1\phaxayr\applic~1\BitTorrent

2010-06-02 00:42:25 0 d-----w- c:\program files\BitTorrent

2010-05-16 05:40:07 0 d-----w- c:\program files\Lame for Audacity

==================== Find3M ====================

2010-06-14 13:18:14 243529 ----a-w- c:\windows\system32\nvModes.dat

2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 17:42:52.71 ===============

Thank you for your help.

Link to post
Share on other sites

It seems as though the malware is gone. I can now:

-go to windows update.com

-open Chrome

-have not experienced Google redirect yet

-windows defender is able to update definitions automatically

ComboFix Log:

ComboFix 10-06-15.02 - Administrator 06/15/2010 21:29:09.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3225 [GMT -5:00]

Running from: c:\documents and settings\phaxayr\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {4DA48831-A43A-4472-9925-4A0F5DA9EB47}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\ipconfig.txt

c:\windows\system32\st326159.dll

----- BITS: Possible infected sites -----

hxxp://wsus.calabrio.com

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))

.

2010-06-16 02:19 . 2010-06-16 02:19 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-06-14 21:06 . 2010-06-14 21:06 -------- d-----w- c:\program files\CCleaner

2010-06-12 23:56 . 2010-06-12 23:56 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-06-11 03:46 . 2010-06-11 03:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2010-06-11 03:46 . 2010-06-11 03:46 -------- d-----w- c:\documents and settings\Administrator\Bluetooth Software

2010-06-11 03:45 . 2010-06-11 03:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Epson

2010-06-10 17:01 . 2010-06-11 02:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-10 15:16 . 2010-06-14 07:43 -------- d-----w- c:\windows\system32\NtmsData

2010-06-09 16:52 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-09 06:16 . 2010-06-09 03:41 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-09 03:41 . 2010-06-09 03:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-09 03:41 . 2010-06-09 03:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-09 03:30 . 2010-06-09 03:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-09 03:30 . 2010-06-09 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-06-09 03:30 . 2010-06-09 03:31 -------- d-----w- c:\program files\Lavasoft

2010-06-09 03:08 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-06-09 03:08 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-06-09 03:08 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-06-09 03:08 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-06-09 03:08 . 2010-06-09 03:08 -------- d-----w- c:\program files\Avira

2010-06-09 03:08 . 2010-06-09 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-06-08 15:15 . 2010-06-08 15:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-08 15:15 . 2010-06-08 15:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-06-07 23:09 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 23:09 . 2010-06-07 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-07 23:09 . 2010-06-07 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 23:09 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-05 15:14 . 2010-06-05 15:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-06-02 00:42 . 2010-06-02 00:42 -------- d-----w- c:\program files\BitTorrent

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-16 02:48 . 2008-12-09 16:37 243505 ----a-w- c:\windows\system32\nvModes.dat

2010-06-16 02:44 . 2010-05-05 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2010-06-16 02:44 . 2010-05-05 15:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2010-06-15 19:40 . 2010-01-25 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-15 19:38 . 2010-01-26 01:16 -------- d-----w- c:\program files\Microsoft Works

2010-06-15 19:37 . 2010-01-26 01:16 -------- d-----w- c:\program files\MSBuild

2010-06-14 19:06 . 2008-12-17 17:19 -------- d-----w- c:\program files\Java

2010-06-11 03:46 . 2008-12-17 16:31 72392 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-11 02:19 . 2008-12-17 17:19 -------- d-----w- c:\program files\Common Files\Java

2010-06-10 15:33 . 2008-12-17 17:20 -------- d-----w- c:\program files\Trend Micro

2010-05-21 19:14 . 2010-01-26 01:06 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-16 05:40 . 2010-05-16 05:40 -------- d-----w- c:\program files\Lame for Audacity

2010-05-15 22:27 . 2010-05-15 22:27 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

2010-05-09 15:47 . 2010-02-05 19:46 -------- d-----w- c:\program files\Vuze

2010-05-06 10:41 . 2008-04-14 11:42 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-05 15:20 . 2010-05-05 15:20 -------- d-----w- c:\program files\Common Files\VMware

2010-05-05 15:20 . 2010-05-05 15:20 -------- d-----w- c:\program files\VMware

2010-05-02 05:22 . 2008-04-14 07:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2008-04-14 11:39 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 03:23 . 2010-04-20 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2010-04-19 13:23 . 2010-01-27 15:19 -------- d-----w- c:\program files\Common Files\CAD

2010-04-18 22:54 . 2010-04-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-04-18 22:54 . 2010-04-16 03:39 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-03 16:39 . 2010-02-03 16:39 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2010-04-26 13:49 . 2010-02-03 16:39 239488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2010-02-03 16:39 . 2010-02-03 16:39 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2010-04-19 19:57 . 2010-04-19 19:57 27448 ----a-w- c:\program files\mozilla firefox\plugins\atsc3cls.dll

2010-02-04 20:58 . 2010-02-03 16:39 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2010-02-03 16:54 . 2010-02-03 16:54 32768 ----a-w- c:\program files\mozilla firefox\plugins\ptexmeet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2010-04-25 275768]

"PTOneClick"="c:\program files\WebEx\Productivity Tools\ptoneclk.exe" [2010-06-07 247096]

"Google Update"="c:\documents and settings\phaxayr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-25 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-05-20 466944]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-28 13537280]

"NVHotkey"="nvHotkey.dll" [2008-06-28 90112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-28 86016]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe" [2008-04-11 372736]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-03-05 718120]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-23 64048]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-1-16 604776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-06-19 18:01 24669 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2266326540-3222975279-1551281842-1709\Scripts\Logon\0\0]

"Script"=Printer_inventory_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2266326540-3222975279-1551281842-1709\Scripts\Logon\0\1]

"Script"=Quick_Hardware_Inventory.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk

backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Documents and Settings\\phaxayr\\My Documents\\Software\\eclipse_Java\\eclipse.exe"=

"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

"c:\\Program Files\\Proxy Networks\\PROXY Pro Host\\PhSvc.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

"c:\\xampp\\apache\\bin\\httpd.exe"=

"c:\\xampp\\mysql\\bin\\mysqld.exe"=

"c:\\xampp\\tomcat\\jre\\bin\\javaw.exe"=

"c:\\xampp\\MercuryMail\\mercury.exe"=

"c:\\xampp\\FileZillaFTP\\FileZilla Server.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"1337:TCP"= 1337:TCP:192.168.1.107

"23729:TCP"= 23729:TCP:Trend Micro OfficeScan Listener

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/8/2010 10:41 PM 64288]

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [4/1/2010 10:20 AM 2234320]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/8/2010 10:08 PM 135336]

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [9/6/2007 7:29 PM 35692]

R2 ciCqmRecord;Quality Management Desktop Recording Service;c:\program files\Calabrio\WFO_QM\bin\sqmservice.exe [2/17/2010 10:36 PM 1966080]

R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [4/1/2010 10:19 AM 36400]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [11/11/2008 5:35 PM 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [11/11/2008 5:35 PM 20840]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832]

R2 QMPD;Quality Management Packet Driver;c:\windows\system32\drivers\qmpd.sys [6/30/2009 9:07 AM 19712]

R2 SPCD;Spanlink Packet Capture Driver;c:\windows\system32\drivers\spcd.sys [8/25/2008 11:06 AM 18048]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [12/21/2007 4:46 PM 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [12/21/2007 4:46 PM 36368]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [1/22/2010 9:57 PM 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [1/22/2010 9:00 PM 563760]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [4/1/2010 10:19 AM 109072]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [4/1/2010 10:19 AM 671408]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [12/9/2008 11:26 AM 112512]

R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [12/30/2008 11:56 AM 12840]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [12/30/2008 11:56 AM 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/9/2008 11:33 AM 240344]

R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [12/9/2008 11:30 AM 144672]

R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [12/9/2008 11:30 AM 277504]

R3 ProxyHostInputFilter;PROXY Pro Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [1/13/2010 7:16 PM 14416]

S3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [12/9/2008 11:30 AM 148056]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [11/30/2007 6:29 PM 652552]

.

Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:16]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2266326540-3222975279-1551281842-1709Core.job

- c:\documents and settings\phaxayr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-25 21:58]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2266326540-3222975279-1551281842-1709UA.job

- c:\documents and settings\phaxayr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-25 21:58]

2010-06-16 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://loop/tiki/tiki-index.php?page=HomePage

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

Trusted Zone: intuit.com\ttlc

FF - ProfilePath - c:\documents and settings\phaxayr\Application Data\Mozilla\Firefox\Profiles\343ql3un.default\

FF - component: c:\documents and settings\phaxayr\Application Data\Mozilla\Firefox\Profiles\343ql3un.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - component: c:\program files\WebEx\Productivity Tools\components\ocff.dll

FF - plugin: c:\documents and settings\phaxayr\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-15 21:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="c:\mysql\bin\mysqld-nt"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4404)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\idt\dellxpm09b_6159v043\wdm\stacsv.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Proxy Networks\PROXY Pro Host\phsvc.exe

c:\windows\system32\vmnat.exe

c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe

c:\program files\VMware\VMware Player\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\TEMP\PS5B85.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

c:\program files\Proxy Networks\PROXY Pro Host\PhSession.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

c:\windows\system32\rundll32.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\WebEx\Productivity Tools\ptSrv.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2010-06-15 21:59:12 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-16 02:58

Pre-Run: 155,137,687,552 bytes free

Post-Run: 155,188,391,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4F6383219D4206B7B7DEBE3726B6EACD

Link to post
Share on other sites

  • Staff

Hi,

Let's check for leftovers.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.