Jump to content

Recommended Posts

Hi!

I've been infected with something that is redirecting the hyperlinks in our search engines. I have followed the instructions on your "what to do when I'm infected" page. I believe that the original infection was able to be removed by MBAM, but the redirecting continues. Any help you can offer would be great - thanks!

Here's the original MBAM log and the most recent one.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6299

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/7/2011 8:32:21 AM

mbam-log-2011-04-07 (08-32-21).txt

Scan type: Quick scan

Objects scanned: 221793

Time elapsed: 14 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 0

Registry Values Infected: 21

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 43

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\expahost.dll (Trojan.Agent.Gen) -> Delete on reboot.

c:\WINDOWS\ahacicoj.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvineg (IPH.Trojan.Hiloti.B) -> Value: Lvineg -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE (Malware.Gen) -> Value: CTNOTIFY.EXE -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disc Detector (Malware.Gen) -> Value: Disc Detector -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher (Malware.Gen) -> Value: Adobe Reader Speed Launcher -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe ARM (Malware.Gen) -> Value: Adobe ARM -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\REAL\REALPLAYER\UPDATE\REALSCHED.EXE (Malware.Gen) -> Value: REALSCHED.EXE -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TkBellExe (Malware.Gen) -> Value: TkBellExe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (Malware.Gen) -> Value: SunJavaUpdateSched -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuickTime Task (Malware.Gen) -> Value: QuickTime Task -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper (Malware.Gen) -> Value: iTunesHelper -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cleanhdd (Malware.Gen) -> Value: cleanhdd -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor (Backdoor.Agent) -> Value: NVIDIA driver monitor -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\MicrosoftWindows (Trojan.Agent) -> Value: MicrosoftWindows -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\expahost.dll (Trojan.Agent.Gen) -> Delete on reboot.

c:\WINDOWS\ahacicoj.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.

c:\program files\Creative\ShareDLL\CtNotify.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\common files\Adobe\ARM\1.0\AdobeARM.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\real\realplayer\Update\realsched.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\common files\Java\java update\jusched.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\quicktime\QTTask.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\program files\iTunes\ituneshelper.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\application data\cleanhdd.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\application data\windows32.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\19455796.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\vmoqecwufx .exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\vmoqecwufx.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\SYSTEM32\expahost.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\7a.tmp.exe (Trojan.QHosts) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\7d.tmp.exe (Trojan.QHosts) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\bshn.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\hkstnd.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdk.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdl .exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdl .exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdl .exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdl .exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdl.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdm.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdn.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdo.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdp.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdq.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdr.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdt.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdu.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\local settings\Temp\Kdv.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\temp2019185512642122.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\WINDOWS\Kgejaa.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\ntraevi.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\WINDOWS\nvsvc32 .exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\WINDOWS\nvsvc32.exe (Malware.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\documents and settings\Aaron\application data\cleanhdd.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6299

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/9/2011 8:32:30 AM

mbam-log-2011-04-09 (08-32-30).txt

Scan type: Quick scan

Objects scanned: 223367

Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Mommy at 9:52:13.96 on Sat 04/09/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.201 [GMT -5:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Mommy\Local Settings\Temporary Internet Files\Content.IE5\NN5JZ13D\HiJackThis[1].exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Mommy\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.dellnet.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File

TB: {A3704FA3-DBF6-46B5-B95E-0677DFD39577} - No File

TB: {5A074B29-F830-49DE-A31B-5BB9D7F6B407} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uPolicies-explorer: <NO NAME> =

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}

DPF: JT's Blocks - hxxp://download.games.yahoo.com/games/clients/y/blt1_x.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: Toki Toki Boom - hxxp://download.games.yahoo.com/games/clients/y/vto_x.cab

DPF: Yahoo! Chess - hxxp://download.games.yahoo.com/games/clients/y/ct2_x.cab

DPF: Yahoo! Gin - hxxp://download.games.yahoo.com/games/clients/y/nt1_x.cab

DPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/pote_x.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1298778219171

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} - hxxp://c.ancestry.com/MFInstall/MFInstall.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

TCP: {531789D3-E103-4B2C-80B3-D76844EF54D8} = 216.165.129.157,134.215.200.126

Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 209.172.52.65 www.google.com

Hosts: 209.172.52.66 search.yahoo.com

.

============= SERVICES / DRIVERS ===============

.

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 216400]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-25 29584]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-27 243024]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-11-8 308136]

S0 tmuyxp;tmuyxp;c:\windows\system32\drivers\aywiy.sys --> c:\windows\system32\drivers\aywiy.sys [?]

S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys --> c:\windows\system32\drivers\Bulk503.sys [?]

S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys --> c:\windows\system32\drivers\ISO503.SYS [?]

S3 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-29 24652]

.

=============== File Associations ===============

.

.reg=regedit

.

=============== Created Last 30 ================

.

2011-04-09 13:12:22 -------- d-----w- c:\program files\CCleaner

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\mommy\applic~1\SUPERAntiSpyware.com

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-08 18:17:43 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-07 01:10:59 -------- d-----w- c:\docume~1\mommy\locals~1\applic~1\{71078740-CEDC-4130-9508-FA335982D15E}

2011-04-07 00:53:29 0 ----a-w- c:\windows\Gkiqofusocacez.bin

2011-04-06 23:29:28 90112 --sha-r- c:\windows\system32\riched32U.dll

2011-04-05 23:09:10 28 ----a-w- c:\windows\p7346712213.exe

2011-04-05 02:25:54 28 ----a-w- c:\windows\p73467113.exe

2011-03-28 05:25:53 -------- d-----w- c:\program files\iPod

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-03-28 05:22:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-03-28 05:18:09 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-03-28 05:18:09 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-03-28 05:17:03 -------- d-----w- c:\program files\Bonjour

2011-03-21 03:42:54 -------- d-----w- c:\program files\common files\Software Update Utility

2011-03-15 13:20:00 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2011-03-12 17:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-03 03:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-03 01:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

============= FINISH: 9:54:18.04 ===============

Link to post
Share on other sites

Hi,

Here are fresh logs from the Malwarebytes scan and the DDS scan.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6362

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/14/2011 10:08:09 AM

mbam-log-2011-04-14 (10-08-09).txt

Scan type: Quick scan

Objects scanned: 228430

Time elapsed: 13 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Mommy at 10:09:39.90 on Thu 04/14/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.245 [GMT -5:00]

.

AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\devldr32.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe

C:\Documents and Settings\Mommy\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.dellnet.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File

TB: {A3704FA3-DBF6-46B5-B95E-0677DFD39577} - No File

TB: {5A074B29-F830-49DE-A31B-5BB9D7F6B407} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uPolicies-explorer: <NO NAME> =

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}

DPF: JT's Blocks - hxxp://download.games.yahoo.com/games/clients/y/blt1_x.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: Toki Toki Boom - hxxp://download.games.yahoo.com/games/clients/y/vto_x.cab

DPF: Yahoo! Chess - hxxp://download.games.yahoo.com/games/clients/y/ct2_x.cab

DPF: Yahoo! Gin - hxxp://download.games.yahoo.com/games/clients/y/nt1_x.cab

DPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/pote_x.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1298778219171

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} - hxxp://c.ancestry.com/MFInstall/MFInstall.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

TCP: {531789D3-E103-4B2C-80B3-D76844EF54D8} = 216.165.129.157,134.215.200.126

Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 209.172.52.65 www.google.com

Hosts: 209.172.52.66 search.yahoo.com

.

============= SERVICES / DRIVERS ===============

.

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-12 475736]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

S0 tmuyxp;tmuyxp;c:\windows\system32\drivers\aywiy.sys --> c:\windows\system32\drivers\aywiy.sys [?]

S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys --> c:\windows\system32\drivers\Bulk503.sys [?]

S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys --> c:\windows\system32\drivers\ISO503.SYS [?]

S3 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-29 24652]

.

=============== Created Last 30 ================

.

2011-04-12 12:56:03 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-04-12 12:56:03 115267 ----a-w- c:\windows\system32\drivers\klin.dat

2011-04-12 12:54:11 -------- d-----w- c:\program files\Kaspersky Lab

2011-04-12 12:54:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2011-04-12 12:46:38 -------- d--h--w- C:\kleaner.tmp

2011-04-12 12:24:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2011-04-09 13:12:22 -------- d-----w- c:\program files\CCleaner

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\mommy\applic~1\SUPERAntiSpyware.com

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-08 18:17:43 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-07 01:10:59 -------- d-----w- c:\docume~1\mommy\locals~1\applic~1\{71078740-CEDC-4130-9508-FA335982D15E}

2011-04-07 00:53:29 0 ----a-w- c:\windows\Gkiqofusocacez.bin

2011-04-06 23:29:28 90112 --sha-r- c:\windows\system32\riched32U.dll

2011-04-05 23:09:10 28 ----a-w- c:\windows\p7346712213.exe

2011-04-05 02:25:54 28 ----a-w- c:\windows\p73467113.exe

2011-03-28 05:25:53 -------- d-----w- c:\program files\iPod

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-03-28 05:22:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-03-28 05:18:09 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-03-28 05:18:09 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-03-28 05:17:03 -------- d-----w- c:\program files\Bonjour

2011-03-21 03:42:54 -------- d-----w- c:\program files\common files\Software Update Utility

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-03 03:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-03 01:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

============= FINISH: 10:14:47.34 ===============

Link to post
Share on other sites

Hi!

Here is the Combofix log, and a fresh DDS log.

ComboFix 11-04-14.03 - Mommy 04/15/2011 8:50.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.343 [GMT -5:00]

Running from: c:\documents and settings\Mommy\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Aaron\Local Settings\Application Data\{ED7F8F61-8649-473B-A997-4190BCA81413}

c:\documents and settings\Aaron\Local Settings\Application Data\{ED7F8F61-8649-473B-A997-4190BCA81413}\chrome.manifest

c:\documents and settings\Aaron\Local Settings\Application Data\{ED7F8F61-8649-473B-A997-4190BCA81413}\chrome\content\_cfg.js

c:\documents and settings\Aaron\Local Settings\Application Data\{ED7F8F61-8649-473B-A997-4190BCA81413}\chrome\content\overlay.xul

c:\documents and settings\Aaron\Local Settings\Application Data\{ED7F8F61-8649-473B-A997-4190BCA81413}\install.rdf

c:\documents and settings\Addie Jo\WINDOWS

c:\documents and settings\Daddy\WINDOWS

c:\documents and settings\Mommy\WINDOWS

C:\Install.exe

C:\t.txt

c:\windows\desktop

c:\windows\desktop\Instal~1.lnk

c:\windows\p73467113.exe

c:\windows\p7346712213.exe

c:\windows\system\oeminfo.ini

c:\windows\system32\rnaph.dll

F:\Autorun.inf

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Parameters

.

.

((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))

.

.

2011-04-12 12:56 . 2011-04-12 13:53 115267 ----a-w- c:\windows\system32\drivers\klin.dat

2011-04-12 12:56 . 2011-04-12 13:53 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-04-12 12:54 . 2011-04-15 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2011-04-12 12:54 . 2011-04-12 12:54 -------- d-----w- c:\program files\Kaspersky Lab

2011-04-12 12:46 . 2011-04-12 12:46 -------- d-----w- C:\kleaner.tmp

2011-04-12 12:24 . 2011-04-12 12:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2011-04-09 13:12 . 2011-04-09 13:12 -------- d-----w- c:\program files\CCleaner

2011-04-08 18:18 . 2011-04-08 18:18 -------- d-----w- c:\documents and settings\Mommy\Application Data\SUPERAntiSpyware.com

2011-04-08 18:18 . 2011-04-08 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-04-08 18:17 . 2011-04-08 18:18 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-07 01:10 . 2011-04-07 01:10 -------- d-----w- c:\documents and settings\Mommy\Local Settings\Application Data\{71078740-CEDC-4130-9508-FA335982D15E}

2011-04-07 00:53 . 2011-04-07 12:04 0 ----a-w- c:\windows\Gkiqofusocacez.bin

2011-04-07 00:04 . 2011-04-09 05:04 -------- d--h--w- c:\documents and settings\Aaron\Application Data\Yhbu

2011-04-07 00:04 . 2011-04-07 00:10 -------- d--h--w- c:\documents and settings\Aaron\Application Data\Ymqi

2011-04-06 23:29 . 2011-04-06 23:29 90112 --sha-r- c:\windows\system32\riched32U.dll

2011-03-31 16:50 . 2011-03-31 16:50 -------- d--h--w- c:\documents and settings\Aaron\Application Data\IObit

2011-03-31 16:27 . 2011-03-31 16:27 -------- d-----w- c:\documents and settings\Addie Jo\Application Data\IObit

2011-03-21 03:42 . 2011-03-21 03:42 -------- d-----w- c:\program files\Common Files\Software Update Utility

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2003-03-20 05:53 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-03-20 05:48 186880 ------w- c:\windows\system32\encdec.dll

2011-02-03 03:40 . 2010-07-26 00:22 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-03 01:19 . 2008-02-02 17:06 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58 . 2003-03-20 05:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2003-03-20 05:35 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2003-03-20 06:17 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Creative\ShareDLL\CtNotify .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\real\realplayer\Update\realsched .exe
c:\windows\SYSTEM32\rundll32 .exe
</pre>

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-11-03 365336]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]

.

c:\documents and settings\Daddy\Start Menu\Programs\Startup\

numlock.vbs [2006-2-4 75]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\startupfolder\C:^Documents and Settings^Mommy^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

path=c:\documents and settings\Mommy\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]

c:\progra~1\AVG\AVG9\avgtray.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

c:\program files\QuickTime\qttask.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-06-21 22:24 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"Viewpoint Manager Service"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"ose"=3 (0x3)

"nmservice"=2 (0x2)

"LinksysUpdater"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"idsvc"=3 (0x3)

"gusvc"=2 (0x2)

"FreeAgentGoNext Service"=2 (0x2)

"Creative Service for CDROM Access"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\juno\\bin\\juno.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Documents and Settings\\Daddy\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

"c:\\Documents and Settings\\Daddy\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Program Files\\Mozilla Sunbird\\sunbird.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

.

R1 kl2;kl2;c:\windows\SYSTEM32\DRIVERS\kl2.sys [6/9/2010 4:43 PM 11352]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [5/7/2010 11:06 AM 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\SYSTEM32\DRIVERS\klmouflt.sys [11/2/2009 7:27 PM 19472]

S0 tmuyxp;tmuyxp;c:\windows\system32\drivers\aywiy.sys --> c:\windows\system32\drivers\aywiy.sys [?]

S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\Drivers\Bulk503.sys --> c:\windows\system32\Drivers\Bulk503.sys [?]

S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\Drivers\ISO503.SYS --> c:\windows\system32\Drivers\ISO503.SYS [?]

S3 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 2:43 PM 204800]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/29/2009 2:55 PM 24652]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-04-15 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 22:22]

.

2011-04-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-516116760-3508293876-2501954535-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-516116760-3508293876-2501954535-1007.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-516116760-3508293876-2501954535-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-516116760-3508293876-2501954535-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-516116760-3508293876-2501954535-1013.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-516116760-3508293876-2501954535-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-516116760-3508293876-2501954535-1007.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-516116760-3508293876-2501954535-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-516116760-3508293876-2501954535-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-516116760-3508293876-2501954535-1013.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-04-15 c:\windows\Tasks\User_Feed_Synchronization-{8479C25A-BA42-4C5F-BB6F-46F4E1C6F31B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

2011-01-02 c:\windows\Tasks\wavepadShakeIcon.job

- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-09-11 14:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

TCP: {531789D3-E103-4B2C-80B3-D76844EF54D8} = 216.165.129.157,134.215.200.126

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} - hxxp://c.ancestry.com/MFInstall/MFInstall.cab

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Creative News - c:\program files\Creative\News\CTNews.isu

AddRemove-HijackThis - c:\documents and settings\Mommy\Local Settings\Temporary Internet Files\Content.IE5\NN5JZ13D\HijackThis.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-15 09:29

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,69,3d,80,b2,be,8e,44,8a,06,c6,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,69,3d,80,b2,be,8e,44,8a,06,c6,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(808)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(3148)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\System32\MsPMSPSv.exe

c:\windows\system32\devldr32.exe

.

**************************************************************************

.

Completion time: 2011-04-15 09:45:43 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-15 14:45

.

Pre-Run: 250,920,960 bytes free

Post-Run: 1,173,733,376 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 686EE8C0D75A474DA64E501A027B8448

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Mommy at 14:12:16.75 on Fri 04/15/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.275 [GMT -5:00]

.

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Documents and Settings\Mommy\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File

TB: {A3704FA3-DBF6-46B5-B95E-0677DFD39577} - No File

TB: {5A074B29-F830-49DE-A31B-5BB9D7F6B407} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uPolicies-explorer: <NO NAME> =

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}

DPF: JT's Blocks - hxxp://download.games.yahoo.com/games/clients/y/blt1_x.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: Toki Toki Boom - hxxp://download.games.yahoo.com/games/clients/y/vto_x.cab

DPF: Yahoo! Chess - hxxp://download.games.yahoo.com/games/clients/y/ct2_x.cab

DPF: Yahoo! Gin - hxxp://download.games.yahoo.com/games/clients/y/nt1_x.cab

DPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/pote_x.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1298778219171

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} - hxxp://c.ancestry.com/MFInstall/MFInstall.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

TCP: {531789D3-E103-4B2C-80B3-D76844EF54D8} = 216.165.129.157,134.215.200.126

Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: klogon - c:\windows\system32\klogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-12 475736]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

S0 tmuyxp;tmuyxp;c:\windows\system32\drivers\aywiy.sys --> c:\windows\system32\drivers\aywiy.sys [?]

S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys --> c:\windows\system32\drivers\Bulk503.sys [?]

S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys --> c:\windows\system32\drivers\ISO503.SYS [?]

S3 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-29 24652]

.

=============== Created Last 30 ================

.

2011-04-15 13:46:46 -------- d-sha-r- C:\cmdcons

2011-04-15 13:06:22 98816 ----a-w- c:\windows\sed.exe

2011-04-15 13:06:22 89088 ----a-w- c:\windows\MBR.exe

2011-04-15 13:06:22 256512 ----a-w- c:\windows\PEV.exe

2011-04-15 13:06:22 161792 ----a-w- c:\windows\SWREG.exe

2011-04-12 12:56:03 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-04-12 12:56:03 115267 ----a-w- c:\windows\system32\drivers\klin.dat

2011-04-12 12:54:11 -------- d-----w- c:\program files\Kaspersky Lab

2011-04-12 12:54:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2011-04-12 12:46:38 -------- d-----w- C:\kleaner.tmp

2011-04-12 12:24:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2011-04-09 13:12:22 -------- d-----w- c:\program files\CCleaner

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\mommy\applic~1\SUPERAntiSpyware.com

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-08 18:17:43 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-07 01:10:59 -------- d-----w- c:\docume~1\mommy\locals~1\applic~1\{71078740-CEDC-4130-9508-FA335982D15E}

2011-04-07 00:53:29 0 ----a-w- c:\windows\Gkiqofusocacez.bin

2011-04-06 23:29:28 90112 --sha-r- c:\windows\system32\riched32U.dll

2011-03-28 05:25:53 -------- d-----w- c:\program files\iPod

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-03-28 05:22:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-03-28 05:18:09 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-03-28 05:18:09 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-03-28 05:17:03 -------- d-----w- c:\program files\Bonjour

2011-03-21 03:42:54 -------- d-----w- c:\program files\common files\Software Update Utility

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-03 03:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-03 01:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

============= FINISH: 14:14:20.62 ===============

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Are you familiar with the following file? If not, please zip up this file and attach it in your reply:

c:\documents and settings\Daddy\Start Menu\Programs\Startup\numlock.vbs

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Driver::
tmuyxp
KILLALL::
File::
c:\windows\system32\drivers\aywiy.sys
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Creative\ShareDLL\CtNotify .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\real\realplayer\Update\realsched .exe
c:\windows\SYSTEM32\rundll32 .exe
DDS::
TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File
TB: {A3704FA3-DBF6-46B5-B95E-0677DFD39577} - No File
TB: {5A074B29-F830-49DE-A31B-5BB9D7F6B407} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hi!

Here are the logs for MBAM, Combofix, and DDS. The "Numlock" script I think is something that I did years ago as the only way I could find to get the numbers lock to come on by default on boot up. We could make that go away without sadness if we needed to. I've zipped it and attached it for you to look at.

Thanks for your help!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6399

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/19/2011 10:04:53 AM

mbam-log-2011-04-19 (10-04-53).txt

Scan type: Quick scan

Objects scanned: 226118

Time elapsed: 14 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 11-04-19.01 - Mommy 04/19/2011 14:50:31.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.293 [GMT -5:00]

Running from: C:\Documents and Settings\Mommy\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mommy\Desktop\CFScript.txt

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::

"c:\windows\system32\drivers\aywiy.sys"

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Mommy at 15:46:42.90 on Tue 04/19/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.205 [GMT -5:00]

.

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe

C:\Documents and Settings\Mommy\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

mRun: [combofix] c:\combofix\cf30719.cfxxe /c c:\combofix\Combobatch.bat

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uPolicies-explorer: <NO NAME> =

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}

DPF: JT's Blocks - hxxp://download.games.yahoo.com/games/clients/y/blt1_x.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: Toki Toki Boom - hxxp://download.games.yahoo.com/games/clients/y/vto_x.cab

DPF: Yahoo! Chess - hxxp://download.games.yahoo.com/games/clients/y/ct2_x.cab

DPF: Yahoo! Gin - hxxp://download.games.yahoo.com/games/clients/y/nt1_x.cab

DPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/pote_x.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1298778219171

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} - hxxp://c.ancestry.com/MFInstall/MFInstall.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

TCP: {531789D3-E103-4B2C-80B3-D76844EF54D8} = 216.165.129.157,134.215.200.126

Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: klogon - c:\windows\system32\klogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-12 475736]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\drivers\bulk503.sys --> c:\windows\system32\drivers\Bulk503.sys [?]

S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\drivers\iso503.sys --> c:\windows\system32\drivers\ISO503.SYS [?]

.

=============== Created Last 30 ================

.

2011-04-19 19:42:58 -------- d-s---w- C:\ComboFix

2011-04-15 13:46:46 -------- d-sha-r- C:\cmdcons

2011-04-15 13:06:22 98816 ----a-w- c:\windows\sed.exe

2011-04-15 13:06:22 89088 ----a-w- c:\windows\MBR.exe

2011-04-15 13:06:22 256512 ----a-w- c:\windows\PEV.exe

2011-04-15 13:06:22 161792 ----a-w- c:\windows\SWREG.exe

2011-04-12 12:56:03 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-04-12 12:56:03 115267 ----a-w- c:\windows\system32\drivers\klin.dat

2011-04-12 12:54:11 -------- d-----w- c:\program files\Kaspersky Lab

2011-04-12 12:54:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2011-04-12 12:46:38 -------- d-----w- C:\kleaner.tmp

2011-04-12 12:24:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2011-04-09 13:12:22 -------- d-----w- c:\program files\CCleaner

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\mommy\applic~1\SUPERAntiSpyware.com

2011-04-08 18:18:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-08 18:17:43 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-07 01:10:59 -------- d-----w- c:\docume~1\mommy\locals~1\applic~1\{71078740-CEDC-4130-9508-FA335982D15E}

2011-04-07 00:53:29 0 ----a-w- c:\windows\Gkiqofusocacez.bin

2011-04-06 23:29:28 90112 --sha-r- c:\windows\system32\riched32U.dll

2011-03-28 05:25:53 -------- d-----w- c:\program files\iPod

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-03-28 05:22:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-03-28 05:22:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-03-28 05:18:09 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-03-28 05:18:09 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-03-28 05:17:03 -------- d-----w- c:\program files\Bonjour

2011-03-21 03:42:54 -------- d-----w- c:\program files\common files\Software Update Utility

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-03 03:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-03 01:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

============= FINISH: 15:56:29.40 ===============

Link to post
Share on other sites

  • Staff

Hi,

Did ComboFix finish? Restart your computer and post the contents of this file:

C:\ComboFix.txt

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi!

Sorry I forgot the combofix log last time. To all appearances, the computer is running normally now. The search engine redirecting is no longer an issue. I believe that following your instructions from April 18 repaired the problem.

Here is the Combofix log, the ESET log (I stopped the scan when it had finished the C drive and was scanning our external hard drive), and the Security Check log.

ComboFix 11-04-19.01 - Mommy 04/19/2011 14:50:31.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.293 [GMT -5:00]

Running from: C:\Documents and Settings\Mommy\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mommy\Desktop\CFScript.txt

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::

"c:\windows\system32\drivers\aywiy.sys"

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=b68366a584690740b059fc23aad7324d

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-04-23 04:16:49

# local_time=2011-04-23 11:16:49 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1026 16777214 0 2 44518926 44518926 0 0

# compatibility_mode=1280 16777175 100 0 30771 30771 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=109527

# found=0

# cleaned=0

# scan_time=10190

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Kaspersky Internet Security 2011

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java DB 10.5.3.0

Java 6 Update 24

Java 6 Update 3

Java SE Development Kit 6 Update 23

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.4.3

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Kaspersky Lab Kaspersky Internet Security 2011 avp.exe

Kaspersky Lab Kaspersky Internet Security 2011 klwtblfs.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java DB 10.5.3.0

Java

Link to post
Share on other sites

  • Staff

Hi,

Glad to hear it. :)

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.