Redirect problem + just-in-time debugger + other issues

[tduro]

On my home desktop, I started getting repetitive Just-In-Time Debugger errors, then in a day or two I started getting IE redirects. I ran Malwarebytes and Antivir in safe mode, multiple times. They kept finding problems, but have been unable to completely remove them.

I changed a debugger setting in the registry, and that seemed to help a little, but it wasn't long before I started having problems again. I ran Malwarebytes in safe mode again and found 19 problems. After removing them and rebooting, I can no longer connect to the internet.

I'm at work now, but I'll bring my work laptop home tonight so I can communicate while trying to fix my desktop.

Where do I start?

Thanks,

Tom

[screen317]

Hi and welcome to Malwarebytes.

Post the log from MBAM.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

[tduro]

Thank you for helping me. My Malwarebytes log is posted below. When I clicked on your DDS link, I saved a file called DDS.scr to a flash drive and copied it to the desktop of my infected PC. My PC does not know how to open it.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4300

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 7.0.5730.13

7/13/2010 7:06:53 AM

mbam-log-2010-07-13 (07-06-53).txt

Scan type: Full scan (C:\|)

Objects scanned: 345682

Time elapsed: 3 hour(s), 58 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 7

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\xpcl04gj.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mlorumezim (Trojan.Hiloti) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbqftwvu (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbqftwvu (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\xpcl04gj.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\e5l8hpnx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\mimdhort.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\klxmajccl\cbnjveotssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mkjll.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\nmuv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[tduro]

I found another source for DDS in another thread, and it ran OK. I hope this is the log you're looking for. If not, please let me know.

DDS (Ver_10-03-17.01) - NTFSx86

Run by HP_Administrator at 20:40:57.54 on Tue 07/13/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.513 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdateMgr.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cptpnq2lh5.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\WINDOWS\eHome\ehmsas.exe

c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

c:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\HP_Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Aim6]

uRun: [uiha98uiohf873yuiadnhgjesgregas] c:\docume~1\hp_adm~1\locals~1\temp\cptpnq2lh5.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [DISCover] c:\program files\disc\DISCover.exe

mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe

mRun: [PCDrProfiler]

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Rgaqimif] rundll32.exe "c:\windows\ihapurituci.dll",Startup

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with GetRight - c:\program files\getright\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

Trusted Zone: trymedia.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://secure.ugi.com/CACHE/stc/6/binaries/vpnweb.cab

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secure.ugi.com/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://vpn.ugi.com/sre/ICSScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://vpn.ugi.com/SNX/CSHELL/extender.cab

DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://24.229.34.148/viewer/activeXViewer/activexviewer.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.shh.org/dana-cached/setup/JuniperSetupSP1.cab

TCP: {038BA9CD-65F0-4706-AB0D-2A2CF42FFC52} = 206.46.230.148 71.252.0.12

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: lbpsiw.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-25 11608]

R1 NEOFLTR_600_14137;Juniper Networks TDI Filter Driver (NEOFLTR_600_14137);c:\windows\system32\drivers\NEOFLTR_600_14137.sys [2009-4-1 64160]

R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-25 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-25 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-25 56816]

R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2006-9-12 307295]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-25 24652]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]

R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2006-9-12 109008]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S2 mrtRate;mrtRate; [x]

S3 Ca100v;PenCam SD, WDM Video Capture;c:\windows\system32\drivers\Ca100v.sys [2007-1-4 516635]

============== File Associations ===============

.cmd=VisualCADD.Alias.4

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-07-12 21:46:13 2730 ----a-w- c:\windows\obozukohoma.dll

2010-07-10 12:53:32 0 ----a-w- c:\windows\Tsogadagakus.dat

2010-06-24 00:18:03 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-05-30 16:21:04 103720 ----a-w- c:\documents and settings\hp_administrator\GoToAssistDownloadHelper.exe

2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-26 21:42:06 96432 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 00:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2006-04-20 01:36:01 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 20:42:16.72 ===============

[screen317]

Hi,

Update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.
  

-screen317

[tduro]

Since my infected PC will not connect to the internet, can I just copy the MBAM setup file to my infected PC and run it? Will it be the most up-to-date veresion? Do I need to uninstall the old version first?

[tduro]

I installed MBAM on my infected PC and ran it. It wanted to update itself, but of course it could not since my infected PC cannot connect to the internet. I ran it anyway and copied the log below.

Combofix did not run at first. I got a Microsoft Windows Recovery Console window that said I don't have Microsoft Widwos recovery console installed or updated. It suggested Comobofix download and install it, but it requires an active internet connection, which I though my infected PC did not have. But I tried it anyway, and it worked. Log is copied below.

A also re-ran DDS and posted its log below.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

7/14/2010 6:04:26 PM

mbam-log-2010-07-14 (18-04-26).txt

Scan type: Quick scan

Objects scanned: 216215

Time elapsed: 27 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ComboFix 10-07-13.08 - HP_Administrator 07/14/2010 18:25:39.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.577 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HP_Administrator\GoToAssistDownloadHelper.exe

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DAB8B625-02B9-4B14-B4BB-7E78D8CF917A}

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DAB8B625-02B9-4B14-B4BB-7E78D8CF917A}\chrome.manifest

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DAB8B625-02B9-4B14-B4BB-7E78D8CF917A}\chrome\content\_cfg.js

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DAB8B625-02B9-4B14-B4BB-7E78D8CF917A}\chrome\content\overlay.xul

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{DAB8B625-02B9-4B14-B4BB-7E78D8CF917A}\install.rdf

c:\documents and settings\Laura\Application Data\JuniperSetup.exe

c:\program files\Common

c:\program files\Shared

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\ihapurituci.dll

c:\windows\obozukohoma.dll

c:\windows\xpsp1hfm.log

D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))

.

2010-07-12 21:33 . 2010-07-13 11:06 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\klxmajccl

2010-07-12 21:32 . 2010-07-12 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-11 16:54 . 2010-07-11 16:54 -------- d-----w- c:\documents and settings\Stephen\Local Settings\Application Data\{0A1C1BB3-76D9-403D-9702-BD1AA7F5862F}

2010-07-11 06:09 . 2010-07-11 06:09 -------- d-----w- c:\documents and settings\Jessica\Local Settings\Application Data\{F4B4ADCB-7BB8-4F90-9FF0-FA7AB5375D91}

2010-07-10 12:53 . 2010-07-12 19:39 0 ----a-w- c:\windows\Tsogadagakus.dat

2010-06-24 00:18 . 2010-06-24 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-24 00:13 . 2010-06-24 00:13 -------- d-----w- c:\program files\Apple Software Update

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-14 22:10 . 2009-03-25 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-07-14 21:33 . 2009-02-15 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-13 04:55 . 2010-05-05 02:02 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-07 15:28 . 2010-01-26 19:45 99 ----a-w- c:\documents and settings\Stephen\jagex_runescape_preferences2.dat

2010-07-07 15:26 . 2008-08-23 22:08 46 ----a-w- c:\documents and settings\Stephen\jagex_runescape_preferences.dat

2010-07-05 10:07 . 2005-12-02 23:55 -------- d-----w- c:\program files\Quicken

2010-07-05 10:06 . 2010-07-05 10:06 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll

2010-07-05 10:06 . 2010-04-29 01:43 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE

2010-06-24 04:25 . 2010-06-24 04:25 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb12ED.tmp.exe

2010-06-24 00:19 . 2008-04-17 23:51 -------- d-----w- c:\program files\iTunes

2010-06-24 00:18 . 2008-04-17 23:51 -------- d-----w- c:\program files\iPod

2010-06-24 00:18 . 2008-04-17 23:48 -------- d-----w- c:\program files\Common Files\Apple

2010-06-24 00:15 . 2006-04-02 22:15 -------- d-----w- c:\program files\QuickTime

2010-06-24 00:10 . 2008-04-17 23:51 -------- d-----w- c:\program files\Bonjour

2010-06-20 13:10 . 2006-05-23 14:03 -------- d-----w- c:\documents and settings\Laura\Application Data\Juniper Networks

2010-06-16 00:01 . 2010-06-16 00:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-13 16:57 . 2010-06-13 16:57 -------- d-----w- c:\program files\Cisco

2010-06-13 16:56 . 2010-06-13 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco

2010-06-07 22:46 . 2010-06-07 22:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Cisco

2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-29 19:39 . 2009-02-15 22:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-02-15 22:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 01:47 . 2010-04-29 01:47 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll

2010-04-29 01:46 . 2010-04-29 01:46 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll

2010-04-29 01:46 . 2010-04-29 01:46 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll

2010-04-29 01:46 . 2010-04-29 01:46 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll

2010-04-29 01:46 . 2010-04-29 01:46 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll

2010-04-29 01:46 . 2010-04-29 01:46 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll

2010-04-29 01:45 . 2010-04-29 01:45 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll

2010-04-29 01:43 . 2010-04-29 01:43 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll

2010-04-29 01:43 . 2010-04-29 01:43 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd

2010-04-26 21:42 . 2009-02-08 16:14 96432 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 00:47 . 2009-03-25 19:21 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-20 00:47 . 2008-05-06 01:24 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2006-04-20 01:36 . 2006-04-20 01:36 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2006-04-15 1073152]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-7 553021]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NEOFLTR_600_14137;Juniper Networks TDI Filter Driver (NEOFLTR_600_14137);c:\windows\system32\drivers\NEOFLTR_600_14137.sys [4/1/2009 11:27 PM 64160]

R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 4:37 AM 64480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 7:19 AM 108289]

R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [9/12/2006 6:14 PM 307295]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/25/2007 9:47 PM 24652]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 6:32 PM 497856]

R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/12/2006 6:14 PM 109008]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:20 AM 135664]

S2 mrtRate;mrtRate; [x]

S3 Ca100v;PenCam SD, WDM Video Capture;c:\windows\system32\drivers\Ca100v.sys [1/4/2007 6:46 PM 516635]

.

Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-06 03:16]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:20]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: trymedia.com

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://secure.ugi.com/CACHE/stc/6/binaries/vpnweb.cab

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secure.ugi.com/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://vpn.ugi.com/sre/ICSScanner.cab

DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://vpn.ugi.com/SNX/CSHELL/extender.cab

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-PCDrProfiler - (no file)

HKLM-Run-Rgaqimif - c:\windows\ihapurituci.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-14 18:38

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-07-14 18:45:12

ComboFix-quarantined-files.txt 2010-07-14 22:44

Pre-Run: 127,444,029,440 bytes free

Post-Run: 135,631,847,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 96F877A92667401A7F7F2A1F400CD645

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DDS (Ver_10-03-17.01) - NTFSx86

Run by HP_Administrator at 18:46:27.79 on Wed 07/14/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.567 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\HP_Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [DISCover] c:\program files\disc\DISCover.exe

mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with GetRight - c:\program files\getright\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

Trusted Zone: trymedia.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://secure.ugi.com/CACHE/stc/6/binaries/vpnweb.cab

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secure.ugi.com/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://vpn.ugi.com/sre/ICSScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://vpn.ugi.com/SNX/CSHELL/extender.cab

DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://24.229.34.148/viewer/activeXViewer/activexviewer.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.shh.org/dana-cached/setup/JuniperSetupSP1.cab

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-25 11608]

R1 NEOFLTR_600_14137;Juniper Networks TDI Filter Driver (NEOFLTR_600_14137);c:\windows\system32\drivers\NEOFLTR_600_14137.sys [2009-4-1 64160]

R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-25 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-25 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-25 56816]

R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2006-9-12 307295]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-25 24652]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]

R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2006-9-12 109008]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S2 mrtRate;mrtRate; [x]

S3 Ca100v;PenCam SD, WDM Video Capture;c:\windows\system32\drivers\Ca100v.sys [2007-1-4 516635]

============== File Associations ===============

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-07-14 22:19:12 0 d-sha-r- C:\cmdcons

2010-07-14 22:10:01 98816 ----a-w- c:\windows\sed.exe

2010-07-14 22:10:01 77312 ----a-w- c:\windows\MBR.exe

2010-07-14 22:10:01 256512 ----a-w- c:\windows\PEV.exe

2010-07-14 22:10:01 161792 ----a-w- c:\windows\SWREG.exe

2010-07-14 22:09:36 0 d-----w- C:\ComboFix

2010-07-10 12:53:32 0 ----a-w- c:\windows\Tsogadagakus.dat

2010-06-24 00:18:03 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-26 21:42:06 96432 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 00:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2006-04-20 01:36:01 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 18:46:34.40 ===============

[screen317]

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.

• 
  
• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  

Let me know if you decided to uninstall it.

Next, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

mrtRate

KILALL::

File::

c:\windows\Tsogadagakus.dat

Folder::

c:\documents and settings\HP_Administrator\Local Settings\Application Data\klxmajccl

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Can you still not connect to the Internet?

-screen317

[tduro]

Hi Chris. Thanks for all the help. I'll try this out tonight. Unfortunately we're on opposite coasts. Please be patient with me due to the time zone difference.

[screen317]

Sure thing. Thanks for letting me know.

[tduro]

Chris, I found and uninstalled 2 Viewpoint programs. I followed your instructions regarding combofix and dds, and posted the logs below.

When I go to my network connections, there are 3 that say they're connected, yet I can't open an internet web page.

ComboFix 10-07-14.02 - HP_Administrator 07/15/2010 21:21:50.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.542 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\Tsogadagakus.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HP_Administrator\Local Settings\Application Data\klxmajccl

c:\documents and settings\Jessica\Local Settings\Application Data\{F4B4ADCB-7BB8-4F90-9FF0-FA7AB5375D91}

c:\documents and settings\Jessica\Local Settings\Application Data\{F4B4ADCB-7BB8-4F90-9FF0-FA7AB5375D91}\chrome.manifest

c:\documents and settings\Jessica\Local Settings\Application Data\{F4B4ADCB-7BB8-4F90-9FF0-FA7AB5375D91}\chrome\content\_cfg.js

c:\documents and settings\Jessica\Local Settings\Application Data\{F4B4ADCB-7BB8-4F90-9FF0-FA7AB5375D91}\chrome\content\overlay.xul

c:\documents and settings\Jessica\Local Settings\Application Data\{F4B4ADCB-7BB8-4F90-9FF0-FA7AB5375D91}\install.rdf

c:\documents and settings\Stephen\Local Settings\Application Data\{0A1C1BB3-76D9-403D-9702-BD1AA7F5862F}

c:\documents and settings\Stephen\Local Settings\Application Data\{0A1C1BB3-76D9-403D-9702-BD1AA7F5862F}\chrome.manifest

c:\documents and settings\Stephen\Local Settings\Application Data\{0A1C1BB3-76D9-403D-9702-BD1AA7F5862F}\chrome\content\_cfg.js

c:\documents and settings\Stephen\Local Settings\Application Data\{0A1C1BB3-76D9-403D-9702-BD1AA7F5862F}\chrome\content\overlay.xul

c:\documents and settings\Stephen\Local Settings\Application Data\{0A1C1BB3-76D9-403D-9702-BD1AA7F5862F}\install.rdf

c:\windows\Tsogadagakus.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MRTRATE

-------\Service_mrtRate

((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))

.

2010-07-12 21:32 . 2010-07-12 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-24 00:18 . 2010-06-24 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-24 00:13 . 2010-06-24 00:13 -------- d-----w- c:\program files\Apple Software Update

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-16 01:07 . 2009-03-25 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-07-15 11:31 . 2010-02-18 21:12 -------- d-----w- c:\program files\Microsoft Silverlight

2010-07-15 11:15 . 2007-02-21 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-07-14 21:33 . 2009-02-15 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-13 04:55 . 2010-05-05 02:02 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-07 15:28 . 2010-01-26 19:45 99 ----a-w- c:\documents and settings\Stephen\jagex_runescape_preferences2.dat

2010-07-07 15:26 . 2008-08-23 22:08 46 ----a-w- c:\documents and settings\Stephen\jagex_runescape_preferences.dat

2010-07-05 10:07 . 2005-12-02 23:55 -------- d-----w- c:\program files\Quicken

2010-06-24 00:19 . 2008-04-17 23:51 -------- d-----w- c:\program files\iTunes

2010-06-24 00:18 . 2008-04-17 23:51 -------- d-----w- c:\program files\iPod

2010-06-24 00:18 . 2008-04-17 23:48 -------- d-----w- c:\program files\Common Files\Apple

2010-06-24 00:15 . 2006-04-02 22:15 -------- d-----w- c:\program files\QuickTime

2010-06-24 00:10 . 2008-04-17 23:51 -------- d-----w- c:\program files\Bonjour

2010-06-20 13:10 . 2006-05-23 14:03 -------- d-----w- c:\documents and settings\Laura\Application Data\Juniper Networks

2010-06-13 16:57 . 2010-06-13 16:57 -------- d-----w- c:\program files\Cisco

2010-06-13 16:56 . 2010-06-13 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco

2010-06-07 22:46 . 2010-06-07 22:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Cisco

2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-04 17:20 . 2004-08-10 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-10 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-10 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:56 . 2004-08-10 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-02-15 22:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-02-15 22:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 21:42 . 2009-02-08 16:14 96432 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 05:51 . 2004-08-10 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 00:47 . 2009-03-25 19:21 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-20 00:47 . 2008-05-06 01:24 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2006-04-20 01:36 . 2006-04-20 01:36 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2006-04-15 1073152]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-7 553021]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NEOFLTR_600_14137;Juniper Networks TDI Filter Driver (NEOFLTR_600_14137);c:\windows\system32\drivers\NEOFLTR_600_14137.sys [4/1/2009 11:27 PM 64160]

R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 4:37 AM 64480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 7:19 AM 108289]

R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [9/12/2006 6:14 PM 307295]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 6:32 PM 497856]

R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/12/2006 6:14 PM 109008]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:20 AM 135664]

S3 Ca100v;PenCam SD, WDM Video Capture;c:\windows\system32\drivers\Ca100v.sys [1/4/2007 6:46 PM 516635]

.

Contents of the 'Scheduled Tasks' folder

2010-07-16 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-06 03:16]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:20]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: trymedia.com

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://secure.ugi.com/CACHE/stc/6/binaries/vpnweb.cab

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secure.ugi.com/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://vpn.ugi.com/sre/ICSScanner.cab

DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://vpn.ugi.com/SNX/CSHELL/extender.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-15 21:38

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(488)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\arservice.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

c:\windows\system32\wdfmgr.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\windows\ARPWRMSG.EXE

c:\windows\eHome\ehmsas.exe

c:\program files\DISC\DiscStreamHub.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Completion time: 2010-07-15 21:52:00 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-16 01:51

ComboFix2.txt 2010-07-14 22:45

Pre-Run: 135,581,921,280 bytes free

Post-Run: 135,502,770,176 bytes free

- - End Of File - - 7F57C7864CD26FE13DFEDCDE57CFBC2F

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DDS (Ver_10-03-17.01) - NTFSx86

Run by HP_Administrator at 21:55:06.68 on Thu 07/15/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.548 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdateMgr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

c:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\HP_Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [DISCover] c:\program files\disc\DISCover.exe

mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with GetRight - c:\program files\getright\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

Trusted Zone: trymedia.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://secure.ugi.com/CACHE/stc/6/binaries/vpnweb.cab

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secure.ugi.com/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://vpn.ugi.com/sre/ICSScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://vpn.ugi.com/SNX/CSHELL/extender.cab

DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://24.229.34.148/viewer/activeXViewer/activexviewer.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.shh.org/dana-cached/setup/JuniperSetupSP1.cab

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-25 11608]

R1 NEOFLTR_600_14137;Juniper Networks TDI Filter Driver (NEOFLTR_600_14137);c:\windows\system32\drivers\NEOFLTR_600_14137.sys [2009-4-1 64160]

R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-25 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-25 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-25 56816]

R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2006-9-12 307295]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]

R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2006-9-12 109008]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 Ca100v;PenCam SD, WDM Video Capture;c:\windows\system32\drivers\Ca100v.sys [2007-1-4 516635]

============== File Associations ===============

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-07-14 22:19:12 0 d-sha-r- C:\cmdcons

2010-07-14 22:10:01 98816 ----a-w- c:\windows\sed.exe

2010-07-14 22:10:01 77312 ----a-w- c:\windows\MBR.exe

2010-07-14 22:10:01 256512 ----a-w- c:\windows\PEV.exe

2010-07-14 22:10:01 161792 ----a-w- c:\windows\SWREG.exe

2010-06-24 00:18:03 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\dllcache\win32k.sys

2010-04-26 21:42:06 96432 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 00:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2006-04-20 01:36:01 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 21:55:13.10 ===============

[screen317]

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[tduro]

I copied the url for that website to my infected PC, however my infected PC cannot open websites (even though the PC says it's connected). I got the message "internet explorer cannot display the webpage". By the way, I can't open common sites like cnn.com or google.com either.

[tduro]

Chris,

Everything seems fine except that I can't connect to the internet. My wireless router must be OK because all our wireless devices connect without issue.

Do the last set of logs reveal the presence of more virus issues? If not, is it possible that my connection settings just need to be changed?

Thanks,

Tom

[tduro]

Hi Chris,

I compared connection settings between my laptop, which connects wirelessly without issue, and my infected PC. I checked the "never dial a connection" box on my infected PC, and now it works fine.

Everything else seems to work fine now too. No internet redirects. No just-in-time debugger pop-ups. Is it still worthwhile to go through the steps indicated in your last message?

Thanks,

Tom

[screen317]

Hi Tom,

My apologies for the delay.

Yes please go through the steps in my last post; I would like to ensure that this computer is clean and safe to use.

[tduro]

Chris, here's the two logs. BTW everything has been working fine.

Thanks,

Tom

Scanning Report

Monday, July 19, 2010 18:45:16 - 20:32:23

Computer name: YOUR-4DACD0EA75

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

14 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Specificclick (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Trojan.Generic.3997346 (virus)

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL DOWNLOADS\SUD4131\MIGRATOR.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 86828

System: 4487

Not scanned: 10

Actions:

Disinfected: 13

Renamed: 1

Deleted: 0

Not cleaned: 0

Submitted: 1

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP4\A0000336.PIF

C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000011.PIF

C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMP\HSPERFDATA_HP_ADMINISTRATOR\1376

C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMP\HSPERFDATA_HP_ADMINISTRATOR\4056

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

[screen317]

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Next, navigate to Microsoft Update, and install all available updates, including Service Pack 3 and Internet Explorer 8.

Once that completes, restart your computer and let me know what issues remain.

-screen317

[tduro]

Chris,

I successfully uninstalled combofix, deleted security check, and updated windows and IE. Everything seems to work fine now.

Thank you for your help.

Tom

[screen317]

Hi Tom,

Glad to hear it.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Sunbelt Personal Firewall

Comodo

Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!