Redirect to News 11 Today - Windows Defense Center

[anongeneral]

Just got slammed by the Windows Defense Center malware. I removed much of it with MBAM, but both internet explorer and firefox continue to be plagued by redirects to various sites, including one called News 11 Today.

I have run malwarebytes in safe mode with networking several times - no more malware is being detected at this point. But my redirect problems persist, so I am posting my hyjackthis log for your consideration. Any help would be appreciated:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:19:44 PM, on 6/16/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE

C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE

C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Online plug-in.lnk = ?

O4 - Global Startup: Printkey.lnk = C:\Printkey.exe

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://utility1:4343/officescan/console/Cl...ll/WinNTChk.cab

O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://utility1:4343/officescan/console/Cl...stall/setup.cab

O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://utility1:4343/officescan/console/Cl.../RemoveCtrl.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcpartners.com

O17 - HKLM\Software\..\Telephony: DomainName = lcpartners.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcpartners.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcpartners.com

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 6909 bytes

[anongeneral]

And here is the DDS log - any help at all would be much appreciated!:

DDS (Ver_10-03-17.01) - NTFSx86

Run by brian at 13:44:48.04 on Wed 06/16/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.169 [GMT -7:00]

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE

C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE

C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\brian\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"

uRun: [skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\online~1.lnk - c:\windows\installer\{b8a2256e-6225-4d9e-b1c9-c26ca1e22feb}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printkey.lnk - c:\Printkey.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://utility1:4343/officescan/console/ClientInstall/WinNTChk.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://utility1:4343/officescan/console/ClientInstall/setup.cab

DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://utility1:4343/officescan/console/ClientInstall/RemoveCtrl.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\cuhnk2dn.default\

FF - plugin: c:\documents and settings\brian\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

=============== Created Last 30 ================

2010-06-16 19:11:07 0 d-sha-r- C:\cmdcons

2010-06-16 03:23:20 98816 ----a-w- c:\windows\sed.exe

2010-06-16 03:23:20 77312 ----a-w- c:\windows\MBR.exe

2010-06-16 03:23:20 256512 ----a-w- c:\windows\PEV.exe

2010-06-16 03:23:20 161792 ----a-w- c:\windows\SWREG.exe

2010-06-15 01:54:35 0 d-----w- C:\VundoFix Backups

2010-06-14 23:14:26 135 ----a-w- c:\windows\wininit.ini

2010-06-14 21:50:08 63 ----a-w- c:\windows\mdm.ini

2010-06-14 18:48:15 0 ----a-w- c:\windows\Agalunir.bin

2010-06-14 18:48:14 120 ----a-w- c:\windows\Ynokuvelikolakef.dat

2010-06-08 20:39:10 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-05-26 05:15:27 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX

==================== Find3M ====================

2010-05-06 10:41:53 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-05-06 10:41:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-06 11:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll

2009-03-09 17:03:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030920090310\index.dat

============= FINISH: 13:46:46.54 ===============

[AdvancedSetup]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[anongeneral]

Hello - thank you very much for your help. I have to admit that I already ran ComboFix. Here are the results:

ComboFix 10-06-17.02 - brian 06/18/2010 0:30.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.268 [GMT -7:00]

Running from: c:\documents and settings\brian\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9474527A-05A3-4007-B3B5-1FAC26DE0A31}

.

((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))

.

2010-06-17 15:53 . 2010-06-17 17:14 -------- d-----w- c:\windows\system32\NtmsData

2010-06-17 15:50 . 2010-06-17 15:50 -------- d-----w- c:\documents and settings\brian\Application Data\Avira

2010-06-17 05:24 . 2010-06-17 05:28 -------- dc-h--w- c:\windows\ie8

2010-06-17 02:46 . 2010-06-17 02:47 -------- d-----w- C:\Downloads

2010-06-16 21:37 . 2010-06-16 21:37 -------- d-----w- c:\program files\ESET

2010-06-16 21:04 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-06-16 21:04 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-06-16 21:04 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-06-16 21:04 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-06-16 21:04 . 2010-06-16 21:04 -------- d-----w- c:\program files\Avira

2010-06-16 21:04 . 2010-06-16 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-06-15 17:49 . 2010-06-15 17:49 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-06-15 17:49 . 2010-06-15 17:49 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-06-15 17:48 . 2010-06-15 17:48 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-06-15 17:48 . 2010-06-15 17:48 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-06-15 17:48 . 2010-06-15 17:48 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-06-15 17:46 . 2010-06-15 17:46 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-06-15 01:54 . 2010-06-15 01:54 -------- d-----w- C:\VundoFix Backups

2010-06-14 18:48 . 2010-06-14 18:48 0 ----a-w- c:\windows\Agalunir.bin

2010-06-14 18:48 . 2010-06-14 18:48 120 ----a-w- c:\windows\Ynokuvelikolakef.dat

2010-06-08 20:39 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-05-26 17:09 . 2009-12-14 14:57 213504 ----a-w- c:\documents and settings\brian\Application Data\Thunderbird\Profiles\cr6kz2g6.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll

2010-05-26 05:23 . 2010-06-15 17:49 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-05-26 05:22 . 2010-06-15 17:46 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-05-26 05:22 . 2010-06-15 17:41 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-05-26 05:22 . 2009-11-23 19:41 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Web Player\DivXWebPlayerUninstall.exe

2010-05-26 05:22 . 2009-11-23 19:41 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Player\DivXPlayerUninstall.exe

2010-05-26 05:22 . 2009-11-23 19:40 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe

2010-05-26 05:22 . 2009-11-23 19:41 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe

2010-05-26 05:22 . 2010-05-26 05:22 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe

2010-05-26 05:22 . 2010-05-26 05:22 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe

2010-05-26 05:22 . 2010-05-26 05:22 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe

2010-05-26 05:22 . 2010-05-26 05:22 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe

2010-05-26 05:22 . 2010-05-26 05:22 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe

2010-05-26 05:21 . 2010-05-26 05:21 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-05-26 05:21 . 2010-05-26 05:21 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-05-26 05:20 . 2010-05-26 05:20 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-05-26 05:20 . 2010-05-26 05:20 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

2010-05-26 05:15 . 2010-06-15 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-05-23 07:59 . 2010-05-23 07:59 -------- d-----w- c:\program files\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-18 07:41 . 2009-03-18 20:08 -------- d-----w- c:\documents and settings\brian\Application Data\Skype

2010-06-18 07:07 . 2009-03-18 20:13 -------- d-----w- c:\documents and settings\brian\Application Data\skypePM

2010-06-18 05:51 . 2009-09-05 16:30 -------- d-----w- c:\documents and settings\brian\Application Data\uTorrent

2010-06-18 03:42 . 2010-04-05 18:56 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-17 21:02 . 2009-04-06 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-17 02:58 . 2004-08-11 23:00 8832 ----a-w- c:\windows\system32\drivers\RasAcd.sys

2010-06-17 00:02 . 2009-04-06 17:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-16 20:18 . 2006-09-01 18:42 -------- d-----w- c:\program files\Trend Micro

2010-06-15 17:49 . 2009-06-07 08:29 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-06-15 17:49 . 2009-03-06 05:52 -------- d-----w- c:\program files\DivX

2010-06-14 21:49 . 2010-06-14 21:49 5058 ----a-w- c:\windows\Help\hhcolreg.dat

2010-06-14 19:10 . 2009-04-14 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-04 03:59 . 2009-05-10 06:57 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-23 08:03 . 2010-01-15 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-15 01:41 . 2009-09-05 16:31 -------- d-----w- c:\program files\uTorrent

2010-05-06 10:41 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2004-08-11 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:39 . 2009-04-14 20:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2009-04-14 20:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 03:22 . 2010-04-27 03:22 -------- d-----w- c:\program files\Common Files\Skype

2010-04-26 23:37 . 2009-05-26 23:54 -------- d-----w- c:\documents and settings\brian\Application Data\gtk-2.0

2010-04-20 05:30 . 2004-08-11 23:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2009-09-13 07:05 . 2009-09-13 07:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2009-09-13 07:06 . 2009-09-13 07:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2009-09-13 07:06 . 2009-09-13 07:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2009-09-13 07:06 . 2009-09-13 07:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2009-09-13 07:06 . 2009-09-13 07:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2009-09-13 07:07 . 2009-09-13 07:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2009-09-13 07:06 . 2009-09-13 07:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2009-09-13 07:06 . 2009-09-13 07:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2009-08-14 21:33 . 2009-08-14 21:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2009-09-13 07:06 . 2009-09-13 07:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-06-17_17.52.30 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-18 02:45 . 2010-06-18 02:45 16384 c:\windows\temp\Perflib_Perfdata_9dc.dat

+ 2010-06-18 02:42 . 2010-06-18 02:42 16384 c:\windows\temp\Perflib_Perfdata_520.dat

+ 2010-06-17 23:23 . 2009-05-26 11:40 17272 c:\windows\ie8updates\KB981332-IE8\spmsg.dll

+ 2010-06-17 23:23 . 2009-05-26 11:40 26488 c:\windows\ie8updates\KB981332-IE8\spcustom.dll

+ 2010-06-17 23:23 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB976662-IE8\spmsg.dll

+ 2010-06-17 23:23 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB976662-IE8\spcustom.dll

+ 2010-06-17 23:22 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB971961-IE8\spmsg.dll

+ 2010-06-17 23:22 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB971961-IE8\spcustom.dll

- 2004-08-11 23:00 . 2009-03-08 11:33 420352 c:\windows\system32\vbscript.dll

+ 2004-08-11 23:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll

- 2004-08-11 23:00 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll

+ 2004-08-11 23:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll

- 2008-05-09 10:53 . 2009-03-08 11:33 420352 c:\windows\system32\dllcache\vbscript.dll

+ 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll

+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll

- 2008-05-09 10:53 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll

+ 2010-06-17 23:23 . 2009-03-08 11:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll

+ 2010-06-17 23:23 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\updspapi.dll

+ 2010-06-17 23:23 . 2009-05-26 11:40 755576 c:\windows\ie8updates\KB981332-IE8\update.exe

+ 2010-06-17 23:23 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll

+ 2010-06-17 23:23 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe

+ 2010-06-17 23:23 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst.exe

+ 2010-06-17 23:23 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\updspapi.dll

+ 2010-06-17 23:23 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB976662-IE8\update.exe

+ 2010-06-17 23:23 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll

+ 2010-06-17 23:23 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe

+ 2010-06-17 23:23 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst.exe

+ 2010-06-17 23:23 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll

+ 2010-06-17 23:22 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\updspapi.dll

+ 2010-06-17 23:22 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB971961-IE8\update.exe

+ 2010-06-17 23:22 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll

+ 2010-06-17 23:22 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe

+ 2010-06-17 23:22 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst.exe

+ 2010-06-17 23:22 . 2009-03-08 11:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-11 339968]

"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\dennis\Start Menu\Programs\Startup\

DesktopConnector.lnk - c:\program files\Extended Systems\DesktopConnector.exe [2005-6-22 303104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-12-23 82026]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-10 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Online plug-in.lnk - c:\windows\Installer\{B8A2256E-6225-4D9E-B1C9-C26CA1E22FEB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2010-1-8 73728]

Printkey.lnk - C:\Printkey.exe [2004-12-16 589824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logoff\0\0]

"Script"=c:\windows\CTXDEFPRNT-logoff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logoff\1\0]

"Script"=c:\windows\CTXDEFPRNT-logoff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logon\0\0]

"Script"=c:\windows\CTXDEFPRNT-logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logon\1\0]

"Script"=\\%USERDNSDOMAIN%\sysvol\lcpartners.com\scripts\LCP_GB_LOGON.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1163\Scripts\Logon\2\0]

"Script"=c:\windows\CTXDEFPRNT-logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logoff\0\0]

"Script"=c:\windows\CTXDEFPRNT-logoff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logoff\1\0]

"Script"=c:\windows\CTXDEFPRNT-logoff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logon\0\0]

"Script"=c:\windows\CTXDEFPRNT-logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logon\1\0]

"Script"=\\%USERDNSDOMAIN%\sysvol\lcpartners.com\scripts\LCP_GB_LOGON.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-1628\Scripts\Logon\2\0]

"Script"=c:\windows\CTXDEFPRNT-logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logoff\0\0]

"Script"=c:\windows\CTXDEFPRNT-logoff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logoff\1\0]

"Script"=c:\windows\CTXDEFPRNT-logoff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logon\0\0]

"Script"=c:\windows\CTXDEFPRNT-logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-117609710-1292428093-682003330-500\Scripts\Logon\1\0]

"Script"=c:\windows\CTXDEFPRNT-logon.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2004-05-17 02:18 528384 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eCopy Desktop Printer Service]

2001-08-02 17:28 136512 ----a-w- c:\progra~1\eCopy\Desktop\PCLprint\mrmlnc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Extended Systems\\DesktopConnector.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 7:13 PM 65584]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/16/2010 2:04 PM 135336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

FF - ProfilePath - c:\documents and settings\brian\Application Data\Mozilla\Firefox\Profiles\cuhnk2dn.default\

FF - plugin: c:\documents and settings\brian\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-18 00:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)

c:\windows\System32\BCMLogon.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1712)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-18 00:46:57

ComboFix-quarantined-files.txt 2010-06-18 07:46

ComboFix2.txt 2010-06-17 17:56

ComboFix3.txt 2010-06-17 04:16

ComboFix4.txt 2010-06-16 19:35

ComboFix5.txt 2010-06-18 07:27

Pre-Run: 8,953,700,352 bytes free

Post-Run: 8,939,462,656 bytes free

- - End Of File - - CA64E8219F04D7AE5F5D4A188510F3DC

[AdvancedSetup]

STEP 01

Uninstall the following via Add or Remove Programs in Control Panel:

• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.
  

Please note: Even if you are using a "safe" P2P program, it is only the program itself that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares, thus, engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections

We strongly recommend that you uninstall them.

STEP 02

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  
• Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  
• Click the Download JRE button to the right
  
• Select the Windows platform from the dropdown menu.
  
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
    
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
    

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

STEP 03

Please visit this site and restore Firefox back to the factory default settings.

Restore Firefox Default Settings Without Uninstalling It

STEP 04

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C netsh winsock reset catalog

STEP 05

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

STEP 06

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan.
  

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
  

[anongeneral]

Thank you - I have followed your instructions. Attached is the Kaspersky report - I had to run Kaspersky in safe mode because it would freeze up the two times I tried (with Avira active scan disabled) to run it in regular XP. Interestingly, the last time I ran Kaspersky in regular windows XP mode, it found 2 threats across 10 objects prior to freeze up. But in safe mode it only found 1 threat across 4 objects.

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, June 22, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, June 22, 2010 04:52:05

Records in database: 4309600

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

L:\

Scan statistics

Objects scanned 81404

Threats found 1

Infected objects found 4

Suspicious objects found 0

Scan duration 03:34:31

File name Threat Threats count

C:\WINDOWS\CSC\d2\800003F1 Infected: not-a-virus:AdWare.Win32.Cydoor 2

C:\WINDOWS\CSC\d5\800017B4 Infected: not-a-virus:AdWare.Win32.Cydoor 2

Selected area has been scanned.

[AdvancedSetup]

Please run the following and post back the log.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log

[anongeneral]

Hello again - thanks for all of your help! here is the mbam log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4227

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/22/2010 11:06:08 PM

mbam-log-2010-06-22 (23-06-08).txt

Scan type: Quick scan

Objects scanned: 158266

Time elapsed: 13 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[AdvancedSetup]

Please review the following article from Microsoft. That appears to be an offline file, folder cache that the AV found.

How to re-initialize the offline files cache and database

http://support.microsoft.com/kb/230738

Then update your own local AV and do a Full System scan with it and let me know if it finds anything or not.

How is the computer running now otherwise?

[anongeneral]

OK - I I have reinitialized the offline files cache. Just ran a fresh av scan and found no results to speak of. Everything seems to be good. Anything else I should do?

thanks again for all your help.

[AdvancedSetup]

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disable your AntiVirus temporarily so that it does not block removal of Combofix.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

============================================

So how did I get infected in the first place?