Jump to content

can't rid my computer of redirects and new web tabs, please help!


amaker
 Share

Recommended Posts

Hello, Thanks for helping. I have a PC running windows XP and service pack 3. I got a virus where when I open either internet explorer or Mozilla, and click on a link, instead of opening the link, it names the IE tab "redirect" or "jump" and opens an unrelated page. This page in the address bar often has /jump/ in it or get-search-results. The page is often a paid advertisement search page. These are not pop-ups in separate windows, but actual tabs and webpages in IE. If I open a link as "open page in a new tab," then I can get to that link on another tab, but it still then takes on a mind of it's own and opens up it's own tab. If I quit IE after this, it will not reeopen again if I do not reboot the computer. It has completely incapacitated my computer and I cannot use the internet for anything at all, and I need it for work daily.

I have run maleware bytes, which often finds a trojan or more, and cleans it, or often, it finds nothing at all. I have run Spybot search and destroy, which finds multiple cookies, and cleans them, and then on another run is clean. I have also run AVG and my symantec software. I have gone through this process of cleaning the computer until it is spotless on all programs, and have even done this in safe mode, but still I get this same problem when I open the internet even after running all of these programs. I ran all the programs recommended on your website and have attached the logs as requested. Thank you so much for helping me fix this.

Here is the GMER ark.txp:

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-02 13:33:51

Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-10 ST3320620AS rev.3.AAK

Running: bclitsmp[1].exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpow.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1084] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.15 ----

Here is the DDS log:

DDS (Ver_10-11-27.01) - NTFSx86 NETWORK

Run by Administrator at 13:37:32.09 on Thu 12/02/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1281 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4YLF9U8D\Defogger[1].exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3C6XMFWS\dds[1].scr

============== Pseudo HJT Report ===============

mURLSearchHooks: Synapse UrlSearchHook Class: {3d31a26e-04d4-4b45-afd4-da4e1ae4af1b} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Synapse BHO Class: {33414365-e6c7-460d-880a-a163bd69e84d} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll__BHODemonDisabled

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll__BHODemonDisabled

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll__BHODemonDisabled

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll__BHODemonDisabled

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll__BHODemonDisabled

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [synapse URLSearchHook Configuration] RUNDLL32.EXE c:\progra~1\fujime~1\synapse\workst~1\FujiFld.dll,ConfigureSynapseUrlSearchHook

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [Jpecehoh] rundll32.exe "c:\windows\orekuzoxufap.dll",Startup

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab

DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB

DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/52.06/uploader2.cab

DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab

DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab

DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} - hxxp://ppd.partners.org/gme/MSflxGrd.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180661164644

DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab

DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://centricity/ami/install/msxml4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9554D93D-C653-4AFD-854C-AF61F7BF7F42} - hxxp://immcsynapse.immc.advocatehealth.com/osd/synapseWorkstationInf.cab

DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab

DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} - hxxp://centricity/ami/install/amiviewer.cab

DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://mskvpn.mskcc.org/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://mskvpn.mskcc.org/dana-cached/sc/JuniperSetupClient.cab

DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} - hxxp://immcsynapse.immc.advocatehealth.com/osd/x86/win95/FujiInst.cab

DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab

TCP: {9B5FB89F-1C09-4F9F-8651-A4648C5CD314} = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {C77559E8-5890-4CA9-9327-DED03958CA1E} - c:\documents and settings\ajay\local settings\application data\{C77559E8-5890-4CA9-9327-DED03958CA1E}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]

R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-1-19 41624]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-7-12 24521]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]

S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]

S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

S2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2009-10-22 80920]

S2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-1-19 154264]

S2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\fuji medical system\synapse\workstation\SynapseUpdateManager.exe [2009-5-21 167424]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2008-7-12 811008]

S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-7-12 155184]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-8-14 38224]

S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]

S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [2008-3-11 12288]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-6-3 189792]

=============== Created Last 30 ================

2010-12-02 16:48:05 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Adobe

2010-12-01 05:00:48 0 ----a-w- c:\windows\Rrijadapeqik.bin

2010-12-01 04:59:56 -------- d--h--w- C:\$AVG

2010-11-29 22:24:47 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2010-11-29 22:23:46 -------- d-----w- c:\windows\system32\drivers\AVG

2010-11-29 22:23:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-11-29 22:23:19 -------- d-----w- c:\program files\AVG

2010-11-29 21:42:57 241704 ----a-w- c:\windows\system32\WgaLogon.dll.bak

2010-11-29 06:31:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-11-29 06:28:35 -------- d-----w- c:\program files\CCleaner

2010-11-26 04:29:35 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-11-26 04:29:35 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-11-26 04:29:29 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-11-26 04:29:29 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-11-10 04:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys

==================== Find3M ====================

============= FINISH: 13:38:00.57 ===============

attached are the zips of the attach.txt file and the ark.txp file as outlined.

Attach.zip

ark.txp.zip

Link to post
Share on other sites

Hello amaker! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Hello amaker! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Thanks. I ran malware bytes. it found 3 threats that were removed. here is the log:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/2/2010 6:49:49 PM

mbam-log-2010-12-02 (18-49-49).txt

Scan type: Quick scan

Objects scanned: 141368

Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Thanks. I ran malware bytes. it found 3 threats that were removed. here is the log:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/2/2010 6:49:49 PM

mbam-log-2010-12-02 (18-49-49).txt

Scan type: Quick scan

Objects scanned: 141368

Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And here is the new DDS log you requested. By the way, I am running these all in safe mode with networking logged in under administrator. please let me know if I should be doing this in the normal mode or otherwise:

DDS (Ver_10-11-27.01) - NTFSx86 NETWORK

Run by Administrator at 18:55:21.28 on Thu 12/02/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1706 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3C6XMFWS\dds[1].scr

============== Pseudo HJT Report ===============

mURLSearchHooks: Synapse UrlSearchHook Class: {3d31a26e-04d4-4b45-afd4-da4e1ae4af1b} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Synapse BHO Class: {33414365-e6c7-460d-880a-a163bd69e84d} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll__BHODemonDisabled

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll__BHODemonDisabled

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll__BHODemonDisabled

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll__BHODemonDisabled

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll__BHODemonDisabled

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [synapse URLSearchHook Configuration] RUNDLL32.EXE c:\progra~1\fujime~1\synapse\workst~1\FujiFld.dll,ConfigureSynapseUrlSearchHook

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [Jpecehoh] rundll32.exe "c:\windows\orekuzoxufap.dll",Startup

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-PRHGH.exe" /REG /REGSVRMODE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab

DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB

DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/52.06/uploader2.cab

DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab

DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab

DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} - hxxp://ppd.partners.org/gme/MSflxGrd.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180661164644

DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab

DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://centricity/ami/install/msxml4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9554D93D-C653-4AFD-854C-AF61F7BF7F42} - hxxp://immcsynapse.immc.advocatehealth.com/osd/synapseWorkstationInf.cab

DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab

DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} - hxxp://centricity/ami/install/amiviewer.cab

DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://mskvpn.mskcc.org/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://mskvpn.mskcc.org/dana-cached/sc/JuniperSetupClient.cab

DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} - hxxp://immcsynapse.immc.advocatehealth.com/osd/x86/win95/FujiInst.cab

DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab

TCP: {9B5FB89F-1C09-4F9F-8651-A4648C5CD314} = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {C77559E8-5890-4CA9-9327-DED03958CA1E} - c:\documents and settings\ajay\local settings\application data\{C77559E8-5890-4CA9-9327-DED03958CA1E}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]

R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-1-19 41624]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-7-12 24521]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]

S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]

S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

S2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2009-10-22 80920]

S2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-1-19 154264]

S2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\fuji medical system\synapse\workstation\SynapseUpdateManager.exe [2009-5-21 167424]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2008-7-12 811008]

S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-7-12 155184]

S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]

S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [2008-3-11 12288]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-6-3 189792]

=============== Created Last 30 ================

2010-12-03 00:44:50 709456 ----a-w- c:\windows\is-PRHGH.exe

2010-12-02 16:48:05 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Adobe

2010-12-01 05:00:48 0 ----a-w- c:\windows\Rrijadapeqik.bin

2010-12-01 04:59:56 -------- d--h--w- C:\$AVG

2010-11-29 22:24:47 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2010-11-29 22:23:46 -------- d-----w- c:\windows\system32\drivers\AVG

2010-11-29 22:23:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-11-29 22:23:19 -------- d-----w- c:\program files\AVG

2010-11-29 21:42:57 241704 ----a-w- c:\windows\system32\WgaLogon.dll.bak

2010-11-29 06:31:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-11-29 06:28:35 -------- d-----w- c:\program files\CCleaner

2010-11-26 04:29:35 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-11-26 04:29:35 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-11-26 04:29:29 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-11-26 04:29:29 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-11-10 04:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys

==================== Find3M ====================

============= FINISH: 18:56:11.56 ===============

Link to post
Share on other sites

Your database version of MBAM was not updated at that time. Please update it before the scan.

ok. Here it is. Please advise next steps:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5243

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/4/2010 10:16:04 AM

mbam-log-2010-12-04 (10-16-04).txt

Scan type: Quick scan

Objects scanned: 141922

Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ok. Here it is. Please advise next steps:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5243

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/4/2010 10:16:04 AM

mbam-log-2010-12-04 (10-16-04).txt

Scan type: Quick scan

Objects scanned: 141922

Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

and here is the DDS log:

DDS (Ver_10-11-27.01) - NTFSx86 NETWORK

Run by Administrator at 10:35:12.17 on Sat 12/04/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1575 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3C6XMFWS\dds[1].scr

============== Pseudo HJT Report ===============

mURLSearchHooks: Synapse UrlSearchHook Class: {3d31a26e-04d4-4b45-afd4-da4e1ae4af1b} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Synapse BHO Class: {33414365-e6c7-460d-880a-a163bd69e84d} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll__BHODemonDisabled

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll__BHODemonDisabled

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll__BHODemonDisabled

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll__BHODemonDisabled

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll__BHODemonDisabled

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [synapse URLSearchHook Configuration] RUNDLL32.EXE c:\progra~1\fujime~1\synapse\workst~1\FujiFld.dll,ConfigureSynapseUrlSearchHook

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [Jpecehoh] rundll32.exe "c:\windows\orekuzoxufap.dll",Startup

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-PRHGH.exe" /REG /REGSVRMODE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab

DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB

DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/52.06/uploader2.cab

DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab

DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab

DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} - hxxp://ppd.partners.org/gme/MSflxGrd.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180661164644

DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab

DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://centricity/ami/install/msxml4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9554D93D-C653-4AFD-854C-AF61F7BF7F42} - hxxp://immcsynapse.immc.advocatehealth.com/osd/synapseWorkstationInf.cab

DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab

DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} - hxxp://centricity/ami/install/amiviewer.cab

DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://mskvpn.mskcc.org/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://mskvpn.mskcc.org/dana-cached/sc/JuniperSetupClient.cab

DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} - hxxp://immcsynapse.immc.advocatehealth.com/osd/x86/win95/FujiInst.cab

DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab

TCP: {9B5FB89F-1C09-4F9F-8651-A4648C5CD314} = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {C77559E8-5890-4CA9-9327-DED03958CA1E} - c:\documents and settings\ajay\local settings\application data\{C77559E8-5890-4CA9-9327-DED03958CA1E}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]

R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-1-19 41624]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-7-12 24521]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]

S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]

S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

S2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2009-10-22 80920]

S2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-1-19 154264]

S2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\fuji medical system\synapse\workstation\SynapseUpdateManager.exe [2009-5-21 167424]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2008-7-12 811008]

S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-7-12 155184]

S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]

S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [2008-3-11 12288]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-6-3 189792]

=============== Created Last 30 ================

2010-12-03 00:44:50 709456 ----a-w- c:\windows\is-PRHGH.exe

2010-12-02 16:48:05 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Adobe

2010-12-01 05:00:48 0 ----a-w- c:\windows\Rrijadapeqik.bin

2010-12-01 04:59:56 -------- d--h--w- C:\$AVG

2010-11-29 22:24:47 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2010-11-29 22:23:46 -------- d-----w- c:\windows\system32\drivers\AVG

2010-11-29 22:23:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-11-29 22:23:19 -------- d-----w- c:\program files\AVG

2010-11-29 21:42:57 241704 ----a-w- c:\windows\system32\WgaLogon.dll.bak

2010-11-29 06:31:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-11-29 06:28:35 -------- d-----w- c:\program files\CCleaner

2010-11-26 04:29:35 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-11-26 04:29:35 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-11-26 04:29:29 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-11-26 04:29:29 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-11-10 04:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys

==================== Find3M ====================

============= FINISH: 10:35:32.93 ===============

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

I've been trying all evening to run combo fix but can't get it to run. I've disabled windows defender and spybot and avg. however, when i try to run combofix, it says that it cannot run as long as avg is on the computer and to remove it completely. so i tried removing it, but my add/remove programs int he control panel will not remove it. it keeps freezing whenever I try to remove avg, and i cannot remove it.

Link to post
Share on other sites

Ignore this warning from ComboFix.

Thank you for your consistent help with this. It does not give me the option to ignore the warning. a dialogue box comes up saying it is unsafe to run combofix with avg on and to uninstall or use another program. the only option is to hit "ok"

when I uninstall AVG now I get an AVG dialogue box saying "setup error, severity:error, error code 0xE001D02B, error message: avg installer - Product not installed, uninstallation request ignored..."

what now?

Link to post
Share on other sites

thanks you for your help. i was at work pretty much for the last 3days, but back to fixing this now so I can have my computer back!

ok. neither explorer nor firefox will open that page, so i got it up on my laptop and will take care of this now.

don't understand it. can get IE and Firefox to load any number of pages, but it will not bring up avg.com so that I can follow the directions of that faq to unload the program? Help.

Link to post
Share on other sites

I'm still waiting for ComboFix log. We're not ready.

ok. so i the internet would not open the AVG page, the cnet page, or filehippo mirror (this virus seems to be blocking anything to do with AVG), so I finally reloaded avg off a random mirror, and thus was able to uninstall it successfully. then i could run combofix finally. First it then asked me to update combofix, which i let it do, then it said that "this machine does not have microsoft windows recovery console installed or it is present but requires updating. without it combofix shall not attempt the fixing of some serious infections..." so then I let it install that. THen it started scanning, then it stopped and said "combofix has detected the presence of rootkit activitiy and needs to reboot the machine." so I rebooted the machine. it is now scanning and going though the stages. I will post that when it is done.

Link to post
Share on other sites

ok. so i the internet would not open the AVG page, the cnet page, or filehippo mirror (this virus seems to be blocking anything to do with AVG), so I finally reloaded avg off a random mirror, and thus was able to uninstall it successfully. then i could run combofix finally. First it then asked me to update combofix, which i let it do, then it said that "this machine does not have microsoft windows recovery console installed or it is present but requires updating. without it combofix shall not attempt the fixing of some serious infections..." so then I let it install that. THen it started scanning, then it stopped and said "combofix has detected the presence of rootkit activitiy and needs to reboot the machine." so I rebooted the machine. it is now scanning and going though the stages. I will post that when it is done.

Great. Here is the log below. Waiting for your next instructions. Thanks!

Here is the ComboFix log:

ComboFix 10-12-09.01 - Ajay 12/09/2010 23:56:10.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1688 [GMT -6:00]

Running from: c:\documents and settings\Ajay\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ajay\Application Data\Adobe\AdobeUpdate .exe

c:\documents and settings\Ajay\Application Data\Adobe\plugs

c:\documents and settings\Ajay\Local Settings\Application Data\{C77559E8-5890-4CA9-9327-DED03958CA1E}

c:\documents and settings\Ajay\Local Settings\Application Data\{C77559E8-5890-4CA9-9327-DED03958CA1E}\chrome.manifest

c:\documents and settings\Ajay\Local Settings\Application Data\{C77559E8-5890-4CA9-9327-DED03958CA1E}\chrome\content\_cfg.js

c:\documents and settings\Ajay\Local Settings\Application Data\{C77559E8-5890-4CA9-9327-DED03958CA1E}\chrome\content\overlay.xul

c:\documents and settings\Ajay\Local Settings\Application Data\{C77559E8-5890-4CA9-9327-DED03958CA1E}\install.rdf

c:\recycler\k-1-3542-4232123213-7676767-8888886

c:\windows\orekuzoxufap.dll

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))

.

2010-12-10 05:45 . 2010-12-10 05:46 -------- d-----w- C:\32788R22FWJFW

2010-12-10 05:15 . 2010-12-10 05:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10

2010-12-02 16:48 . 2010-12-02 16:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-12-01 05:00 . 2010-12-09 14:47 0 ----a-w- c:\windows\Rrijadapeqik.bin

2010-11-29 22:30 . 2010-11-29 22:30 -------- d-----w- c:\documents and settings\Ajay\Application Data\AVG10

2010-11-29 22:24 . 2010-11-29 22:24 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-29 22:23 . 2010-12-10 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-11-29 22:23 . 2010-11-29 22:23 -------- d-----w- c:\program files\AVG

2010-11-29 06:31 . 2010-12-05 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-29 06:28 . 2010-11-29 06:28 -------- d-----w- c:\program files\CCleaner

2010-11-29 06:13 . 2010-11-29 06:13 -------- d-sh--w- c:\documents and settings\LocalService\UserData

2010-11-29 06:13 . 2010-11-29 06:13 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-11-29 06:13 . 2010-11-29 06:13 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache

2010-11-26 04:29 . 2008-04-14 02:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-11-26 04:29 . 2008-04-14 02:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-11-26 04:29 . 2008-04-13 20:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-11-26 04:29 . 2008-04-13 20:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-11-15 00:56 . 2010-11-15 00:56 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-11-15 00:56 . 2010-11-15 00:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-11-15 00:44 . 2010-11-15 00:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 23:42 . 2010-08-14 19:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 23:42 . 2010-08-14 19:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2010-10-10 00:05 . 2007-06-01 01:15 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2010-10-10 00:05 . 2007-06-01 01:15 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2010-10-10 00:05 . 2007-06-01 01:15 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2010-10-10 00:05 . 2007-06-01 01:15 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2010-10-10 00:05 . 2007-06-01 01:15 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-22 13684736]

"nwiz"="nwiz.exe" [2009-04-22 1657376]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]

"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-28 270648]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-22 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"Synapse URLSearchHook Configuration"="c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFld.dll" [2009-05-22 3016000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Ajay\Start Menu\Programs\Startup\

Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-3 110592]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-3 110592]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-6-3 1466384]

Citrix Access Gateway.lnk - c:\program files\Citrix\Secure Access Client\nsload.exe [2010-1-19 1483928]

Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]

NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-3 118784]

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Alcmtr"=ALCMTR.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Shareaza\\Shareaza.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=

"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Citrix\\Secure Access Client\\nsepa.exe"=

"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=

R2 cag;Citrix cag plugin for Access Gateway;c:\program files\Common Files\Deterministic Networks\Common files\cag.sys [10/22/2009 2:34 PM 80920]

R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [1/19/2010 4:56 AM 154264]

R2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe [5/21/2009 8:22 PM 167424]

R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [1/19/2010 4:58 AM 41624]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [7/12/2008 12:36 PM 24521]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [7/12/2008 12:36 PM 811008]

S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [7/12/2008 12:36 PM 155184]

S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]

S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [3/11/2008 6:02 PM 12288]

.

Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {9B5FB89F-1C09-4F9F-8651-A4648C5CD314} = 192.168.1.1

DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab

DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB

DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab

DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab

DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab

DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab

DPF: {9554D93D-C653-4AFD-854C-AF61F7BF7F42} - hxxp://immcsynapse.immc.advocatehealth.com/osd/synapseWorkstationInf.cab

DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab

DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab

DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab

DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://mskvpn.mskcc.org/dana-cached/sc/JuniperSetupClient.cab

DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} - hxxp://immcsynapse.immc.advocatehealth.com/osd/x86/win95/FujiInst.cab

DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab

FF - ProfilePath - c:\documents and settings\Ajay\Application Data\Mozilla\Firefox\Profiles\4rte8p2n.default\

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Jpecehoh - c:\windows\orekuzoxufap.dll

Notify-NavLogon - (no file)

AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Ajay\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-10 00:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-12-10 00:02:00

ComboFix-quarantined-files.txt 2010-12-10 06:01

Pre-Run: 54,003,245,056 bytes free

Post-Run: 54,263,848,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CDBDF27720F98767AFD5A19665672D93

Link to post
Share on other sites

Good! :)

How are things now?

Still no good. what did combofix do and what did all these logs tell you? if I do a google search, half of the websites I try to go to do not load up, For example if I try to go to amazon.com, newegg.com, cnet.com, or avg.com, the pages never load up and eventually a "problem with connection" dialogue box comes up, but there is no problem with the connection. even for pages that ultimately come up, it is painfully slow.

the problem I had before was redirecting. now pages don't even load. Any advice?

Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

My DNS server and IP address were on manual and not automatic, so I just changed these back to automatic, and that seems to have taken care of the problem of the websites not loading. should i still run this tool? Thanks!

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.