Author Topic: Yoog, Pop-ups, Desktop disappears, Help! (Read 1264 times)

viejo1221 · « **on:** December 30, 2008, 01:42:02 PM »

Trying to fix my parents computer and after some searching I think I found the right place for some help. The McAfee AV software has expired, currently unprotected. Desktop disappears every few seconds and roughly every minute I get a pop-up on Firefox immediately followed by a pop-up in IE. That's when I saw that Yoog Search was default search. Please help!! Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:02 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\GetModule\GetModule32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\RAFAEL\Application Data\gadcom\gadcom.exe
C:\Program Files\GetPack\GetPack26.exe
C:\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\RAFAEL\Application Data\Microsoft\Windows\ekqiy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wgzfvlpphmf] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\lilivkgfkkiteiow.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [GetModule32] C:\Program Files\GetModule\GetModule32.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\RAFAEL\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [GetPack26] "C:\Program Files\GetPack\GetPack26.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\RAFAEL\Application Data\Microsoft\Windows\ekqiy.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.Email Removed.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169088687625
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE05334-D18B-49FE-9B39-E23C686A2C09}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9975 bytes

guestolo · « **Reply #1 on:** December 30, 2008, 01:45:07 PM »

I'm just on my way out the door, and most likely won't be back on till tomorrow
In the meantime, can you try the following please

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus, AntiSpyware and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool[/color]

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

viejo1221 · « **Reply #2 on:** December 30, 2008, 02:18:35 PM »

Combofix log attached. So far desktop has not disappeared. Looking forward to getting rid of this stuff. Yoog Search still remains.
ComboFix 08-12-29.02 - RAFAEL 2008-12-30 13:07:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.648 [GMT -6:00]
Running from: c:\documents and settings\RAFAEL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\RAFAEL\Application Data\gadcom
c:\documents and settings\RAFAEL\Application Data\gadcom\gadcom.exe
c:\documents and settings\RAFAEL\Application Data\GetModule
c:\documents and settings\RAFAEL\Application Data\GetModule\dicik.gz
c:\documents and settings\RAFAEL\Application Data\GetModule\kwdik.gz
c:\documents and settings\RAFAEL\Application Data\GetModule\ofadik.gz
c:\documents and settings\RAFAEL\Application Data\SpeedRunner
c:\documents and settings\RAFAEL\Application Data\SpeedRunner\config.cfg
c:\documents and settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe
c:\documents and settings\RAFAEL\Application Data\SpeedRunner\SRUninstall.exe
c:\documents and settings\RAFAEL\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\RAFAEL\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\RAFAEL\nah_log.dat
c:\program files\GetModule
c:\program files\GetModule\GetModule32.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack26.exe
c:\program files\GetPack\trgtame.gz
c:\program files\GrandPack
c:\program files\GrandPack\GrandPack2.dll
c:\program files\GrandPack\qdrloader.exe
c:\program files\GrandPack\Uninstall.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
c:\windows\system32\~.exe
c:\windows\system32\AdNpoUtv.ini
c:\windows\system32\AdNpoUtv.ini2
c:\windows\system32\bszip.dll
c:\windows\system32\cbXOHBrS.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\cont_globaladsolution-remove.exe
c:\windows\system32\lilivkgfkkiteiow.dll
c:\windows\system32\TDSSgqrr.log
c:\windows\system32\TDSSwryg.dat
c:\windows\system32\vtUopNdA.dll
c:\windows\system32\wpv401229907443.cpx
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
[color=\"RED\"] c:\windows\system32\winlogon.exe . . . is infected!![/color]

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-30 12:23 . 2008-12-30 12:23   <DIR>   d--------   c:\program files\Trend Micro
2008-12-29 09:14 . 2008-12-29 09:14   <DIR>   d--------   c:\program files\Webtools
2008-12-29 09:09 . 2008-12-29 09:09   47,593   --a------   c:\windows\system32\kfoirmjtzvrq.exe
2008-12-28 01:04 . 2008-12-28 01:04   45,056   --a------   c:\windows\system32\tuvvWnLe.dll
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\UltraISO
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\Common Files\EZB Systems
2008-12-17 20:27 . 2008-12-17 20:27   23,600   --a------   c:\windows\system32\drivers\TVICHW32.SYS
2008-12-17 20:18 . 2008-12-17 20:18   0   --a------   c:\windows\ativpsrm.bin
2008-12-17 14:38 . 2008-12-17 22:04   522   --a------   C:\GSMRIAutomation.cfg
2008-12-17 05:48 . 2008-12-17 16:27   <DIR>   d--h-----   C:\MRI_PE_TEMP
2008-12-16 03:13 . 2008-12-17 05:48   <DIR>   d--hs----   C:\$RECYCLE.BIN
2008-12-16 02:41 . 2008-12-16 02:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Geek Squad
2008-12-02 10:43 . 2008-12-02 10:43   668,160   --a------   c:\windows\system32\nse10.dll
2008-11-28 14:37 . 2008-11-28 14:37   <DIR>   d--------   c:\program files\iTunes
2008-11-28 14:37 . 2008-11-28 14:37   <DIR>   d--------   c:\program files\iPod
2008-11-28 14:37 . 2008-11-28 14:37   <DIR>   d--------   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 14:36 . 2008-11-28 14:36   <DIR>   d--------   c:\program files\QuickTime
2008-11-17 18:58 . 2008-11-17 18:58   <DIR>   d--------   c:\program files\CCleaner
2008-11-17 18:48 . 2008-11-17 19:25   <DIR>   d--------   c:\documents and settings\RAFAEL\Application Data\ntr
2008-11-16 18:15 . 2004-08-04 04:00   221,184   --a------   c:\windows\system32\wmpns.dll
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\system32\scripting
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\system32\en
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\system32\bits
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\l2schemas
2008-11-16 17:52 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\ServicePackFiles
2008-11-12 05:28 . 2008-10-24 05:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 10:30 . 2008-11-04 10:30   90,112   --a------   c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30   57,344   --a------   c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee.com
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee
2008-12-30 19:02   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee
2008-12-28 07:01   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\Skype
2008-12-28 06:05   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\skypePM
2008-12-18 02:07   ---------   d-----w   c:\program files\Google
2008-12-18 02:03   ---------   d-----w   c:\documents and settings\All Users\Application Data\Visual Networks
2008-12-18 01:48   ---------   d-----w   c:\program files\Yahoo!
2008-12-18 01:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-28 20:35   ---------   d-----w   c:\program files\Common Files\Apple
2008-11-26 01:28   ---------   d-----w   c:\program files\Common Files\AnswerWorks 4.0
2008-11-23 20:46   ---------   d-----w   c:\documents and settings\LocalService\Application Data\SACore
2008-11-18 00:58   ---------   d-----w   c:\program files\Common Files\Scanner
2008-11-15 15:03   36,624   ------w   c:\windows\system32\drivers\pxhelp20.sys
2008-04-01 01:24   32   ----a-w   c:\documents and settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2004-08-04 04:00 295424 b60c877d16d9c880b952fda04adf16e6   c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f   c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-27 12:31 295424 63999d0abd8dabfd76a9c07f6e104868   c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{998596b5-8c62-9857-df3b-7af18486ff59}]
2008-12-02 10:43   668160   --a------   c:\windows\system32\nse10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-09-06 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2006-09-26 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-20 185896]
"CTHelper"="CTHELPER.EXE" [2004-03-10 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-02-28 16:15 503808 c:\program files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2008-03-31 225632]
R3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2008-03-31 6912]
S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\RAFAEL\LOCALS~1\Temp\kwwalpgr.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-30 c:\windows\Tasks\mvlzkmnr.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{24710402-7CAA-7B69-B6B8-283EAA963B84} - c:\windows\system32\lilivkgfkkiteiow.dll
BHO-{AD36848B-D019-49BB-9FAC-F545C5E513B8} - c:\windows\system32\vtUopNdA.dll
HKCU-Run-GetModule32 - c:\program files\GetModule\GetModule32.exe
HKCU-Run-GetPack26 - c:\program files\GetPack\GetPack26.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://att.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {EDE05334-D18B-49FE-9B39-E23C686A2C09} = 4.2.2.1,4.2.2.2

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll

[color=\"red\"]ATTENTION: FIREFOX POLICES IS IN FORCE [/color]
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 13:10:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-30 13:12:07 - machine was rebooted [RAFAEL]
ComboFix-quarantined-files.txt 2008-12-30 19:12:04

Pre-Run: 228,153,479,168 bytes free
Post-Run: 228,035,391,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

263   --- E O F ---   2008-12-11 11:26:06

guestolo · « **Reply #3 on:** December 31, 2008, 04:27:07 AM »

Is there a reason you uploaded the combofix log, instead of just posting it in a reply box back here?

Hard to keep track of everything in an uploaded response, but, let's carry on

Please do the following
download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Can you also post another fresh Hijackthis log with that log

viejo1221 · « **Reply #4 on:** December 31, 2008, 11:09:48 AM »

Sorry about that, I misunderstood. Here's the MBAM and HiJackThis Logs

Malwarebytes' Anti-Malware 1.31
Database version: 1582
Windows 5.1.2600 Service Pack 3

12/31/2008 9:56:31 AM
mbam-log-2008-12-31 (09-56-31).txt

Scan type: Quick Scan
Objects scanned: 54552
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{998596b5-8c62-9857-df3b-7af18486ff59} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{998596b5-8c62-9857-df3b-7af18486ff59} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\RAFAEL\Application Data\Microsoft\Windows\ekqiy.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvvWnLe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nse10.dll (Adware.BHO) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:15 AM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.Email Removed.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169088687625
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE05334-D18B-49FE-9B39-E23C686A2C09}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6360 bytes

guestolo · « **Reply #5 on:** January 01, 2009, 02:39:40 PM »

Sorry for the delay, it's a busy time of the year
Can you still do the following
Print these next set of Instructions, or save them to a text file on desktop
I'll need you to keep your browser windows closed for some of this

Do a System Scan Only with Hijackthis and put a tick next to the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - MRI_DISABLED - (no file)
Close down all other open windows
Including this one
Then click on FIX CHECKED
OK any prompts then exit Hijackthis

Return here in Firefox and follow the next set of instructions:
Open IE7>beside the Address bar, is a Search bar
To the right of the search bar is a magnifying glass and a drop down arrow
Left click the drop down arrow
and select>>"Change Search Defaults"
If you see "Yoog Search" in the list
Highlight it and Remove it
Then highlight Google (or another search provider) and set to Default
Close IE7 and don't reopen

In Firefox:
Beside the address bar is the Search engine bar
Can you use the drop down arrow beside the search box, >>Select "Manage Search Engines"
If YOOG is listed, can you highlight it and remove it
Then Highlight Google and Hit OK

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
KillAll::
Driver::
kwwalpgr
File::
c:\windows\Tasks\mvlzkmnr.job
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
c:\windows\system32\kfoirmjtzvrq.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000

[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..

Can I again see that log in a bit, but for now, leave All browser windows closed
Set Windows is to show hidden files/folders
In MyComputer select TOOLS>>FOLDER OPTIONS>>VIEW
Select the Radio button to Show hidden files/folders
Apply and OK it

Navigate to the following folder
cc:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
In that folder right click on prefs.js and select EDIT

Delete the 2 lines referring to the following

===================================================
user_pref("browser.search.selectedEngine", "Yoog Search");
user_pref("keyword.URL", "http://www2.yoog.com/search.php?q=");
======================================================
Don't leave spacings
Close prefs.js and save the changes when prompted
remain in the sicg66af.default\ folder
Right click on user.js

Delete the lines referring to the following
========================================
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
=========================================

Since it appears you uninstalled all of McAfee, you can also delete the next line
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

Close user.js and save changes when prompted

Post the log from ComboFix please

In addition, can you also post the following

Run HijackThis
Open "Misc Tools section"
Open "Uninstall Manager"
Click the Save list button, save a list to desktop then copy/paste back here the contents please

One final step
Go to the following link
http://billsway.com/vbspage/
Scroll down to "Find File Information"
Use the download link to the right and save the Zip file to desktop
UNZIP the contents to your desktop
Double click on and run FileInfo.vbs
In the first box, input the Asterik sign to search all drives (Shift +

keys
In the next windows
type in winlogon

Let it search for the file, a text file will open, can you also copy/paste back here the whole contents

viejo1221 · « **Reply #6 on:** January 01, 2009, 08:06:22 PM »

Happy New Year. Thanks for your help guestolo. Here's what you asked for...

ComboFix 08-12-31.01 - RAFAEL 2009-01-01 18:46:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.616 [GMT -6:00]
Running from: c:\documents and settings\RAFAEL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RAFAEL\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
c:\windows\system32\kfoirmjtzvrq.exe
c:\windows\Tasks\mvlzkmnr.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\kfoirmjtzvrq.exe
c:\windows\Tasks\mvlzkmnr.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KWWALPGR
-------\Service_kwwalpgr

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2008-12-31 09:52 . 2008-12-31 09:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 09:52 . 2008-12-31 09:52 <DIR> d-------- c:\documents and settings\RAFAEL\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-31 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 09:52 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 20:20 . 2008-12-30 20:20 726,008 --a------ c:\documents and settings\RAFAEL\gotomypc_437.exe
2008-12-30 12:23 . 2008-12-30 12:23 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 21:20 . 2008-12-17 21:20 <DIR> d-------- c:\program files\UltraISO
2008-12-17 21:20 . 2008-12-17 21:20 <DIR> d-------- c:\program files\Common Files\EZB Systems
2008-12-17 20:27 . 2008-12-17 20:27 23,600 --a------ c:\windows\system32\drivers\TVICHW32.SYS
2008-12-17 20:18 . 2008-12-17 20:18 0 --a------ c:\windows\ativpsrm.bin
2008-12-17 14:38 . 2008-12-17 22:04 522 --a------ C:\GSMRIAutomation.cfg
2008-12-17 05:48 . 2008-12-17 16:27 <DIR> d--h----- C:\MRI_PE_TEMP
2008-12-16 03:13 . 2008-12-17 05:48 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-12-16 02:41 . 2008-12-16 02:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Geek Squad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 02:49 --------- d-----w c:\documents and settings\RAFAEL\Application Data\Skype
2009-01-01 00:47 --------- d-----w c:\documents and settings\RAFAEL\Application Data\skypePM
2008-12-30 19:02 --------- d-----w c:\program files\McAfee.com
2008-12-30 19:02 --------- d-----w c:\program files\McAfee
2008-12-30 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-18 02:07 --------- d-----w c:\program files\Google
2008-12-18 02:03 --------- d-----w c:\documents and settings\All Users\Application Data\Visual Networks
2008-12-18 01:48 --------- d-----w c:\program files\Yahoo!
2008-12-18 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 20:37 --------- d-----w c:\program files\iTunes
2008-11-28 20:37 --------- d-----w c:\program files\iPod
2008-11-28 20:37 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 20:36 --------- d-----w c:\program files\QuickTime
2008-11-28 20:35 --------- d-----w c:\program files\Common Files\Apple
2008-11-26 01:28 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2008-11-23 20:46 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-18 01:25 --------- d-----w c:\documents and settings\RAFAEL\Application Data\ntr
2008-11-18 00:58 --------- d-----w c:\program files\Common Files\Scanner
2008-11-18 00:58 --------- d-----w c:\program files\CCleaner
2008-11-15 15:03 36,624 ------w c:\windows\system32\drivers\pxhelp20.sys
2008-04-01 01:24 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_13.11.44.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 18:00:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 20:00:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 18:00:09 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-17 00:13:38 149,200 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-31 15:40:29 149,200 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2006-09-26 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"CTHelper"="CTHELPER.EXE" [2004-03-10 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-02-28 16:15 503808 c:\program files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2008-03-31 225632]
R3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2008-03-31 6912]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {EDE05334-D18B-49FE-9B39-E23C686A2C09} = 4.2.2.1,4.2.2.2

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll

[color=\"red\"]ATTENTION: FIREFOX POLICES IS IN FORCE [/color]
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 18:49:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*_ Â|Â·*NULL*]
@Owner=S-1-5-21-1482476501-1604221776-725345543-1003
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.162.0.0"
"DeviceInstanceIds"=multi:"c:\\dell\\drivers\\r106409\\driver\\2kxp_inf\\cx_25672.inf\00"

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState]
@Owner=Administrator
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState\STSysTray]
@Owner=Administrator
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-01 18:50:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 00:50:45
ComboFix2.txt 2008-12-30 19:12:08

Pre-Run: 228,006,293,504 bytes free
Post-Run: 227,993,227,264 bytes free

223 --- E O F --- 2008-12-11 11:26:06

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Advanced Video FX Engine
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Bonjour
CCleaner (remove only)
Creative Live! Cam Center
Creative Live! Cam Manager
Creative Live! Cam Optia Driver (1.01.02.00)
Creative Live! Cam Optia User's Guide (English)
Creative MediaSource
Creative Photo Calendar
Creative Photo Manager
Creative Software AutoUpdate
Creative System Information
Dell Resource CD
DellConnect
DriverAgent by eSupport.com
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
IKEA HomePlanner Kitchen
Intel® 537EP V9x DF PCI Modem
Intel® PRO Network Connections Drivers
iTunes
Java(tm) 6 Update 6
Malwarebytes' Anti-Malware
McAfee Uninstaller
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.1
Nero Suite
OCR Software by I.R.I.S 7.0
OpenOffice.org Installer 1.0
Orb
Picasa 2
PowerDVD 5.5
QuickBooks Pro 2006
QuickTime
RealPlayer
Rhapsody Player Engine
Rhapsody Player Engine
RON Tool Globaladsolution
Safari
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows XP (KB923789)
SightSpeed (remove only)
SigmaTel Audio
Skypeâ„¢ 3.6
Sound Blaster Audigy 2 ZS
UltraISO V7.65 SR-2
URGE
WD Diagnostics
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinZip 11.2

c:\windows\$ntservicepackuninstall$\winlogon.exe
Version: 5.1.2600.2180
Created: 11/16/2008 5:42:49 PM
Modified: 8/4/2004 4:00:00 AM
Size: 502,272 bytes
Attributes: Compressed

c:\windows\servicepackfiles\i386\winlogon.exe
Version: 5.1.2600.5512
Created: 9/24/2008 4:59:57 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
c:\windows\system32\dllcache\winlogon.exe
Version: 5.1.2600.5512
Created: 9/24/2008 4:59:57 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
Attributes: Archive Compressed

c:\windows\system32\winlogon.exe
Version: 5.1.2600.5512
Created: 9/24/2008 4:59:57 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
Attributes: Archive

c:\windows\system32\winlogon.old
Version: 5.1.2600.5512
Created: 8/4/2004 4:00:00 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
Attributes: Archive

guestolo · « **Reply #7 on:** January 01, 2009, 08:19:15 PM »

Did you do the following?

Quote

Set Windows is to show hidden files/folders
In MyComputer select TOOLS>>FOLDER OPTIONS>>VIEW
Select the Radio button to Show hidden files/folders
Apply and OK it

Navigate to the following folder
cc:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
In that folder right click on prefs.js and select EDIT

Delete the 2 lines referring to the following

===================================================
user_pref("browser.search.selectedEngine", "Yoog Search");
user_pref("keyword.URL", "http://www2.yoog.com/search.php?q=");
======================================================
Don't leave spacings
Close prefs.js and save the changes when prompted
remain in the sicg66af.default\ folder
Right click on user.js

Delete the lines referring to the following
========================================
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
=========================================

Since it appears you uninstalled all of McAfee, you can also delete the next line
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

Close user.js and save changes when prompted

It looked like a vital file for XP was infected earlier
But seems OK now
Can we double check it please
go to this link
http://www.virustotal.com/flash/index_en.html
Copy and paste the following bold line to the space next to 'Upload a File'
If using Firefox, you may have to paste to the Filename field of the File Upload box that opens
Or Browse to the file

c:\windows\system32\winlogon.exe
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page

viejo1221 · « **Reply #8 on:** January 01, 2009, 08:27:54 PM »

I did delete the lines in the hidden folders. Here's the link for the other request...
http://www.virustotal.com/reanalisis.html?...829662f5629327a

viejo1221 · « **Reply #9 on:** January 01, 2009, 08:31:34 PM »

Or maybe it was this one you wanted:
http://www.virustotal.com/analisis/debbb50...e9b7623213f650d

Should I still be without AntiVirus while we're doing this or should I download one?

guestolo · « **Reply #10 on:** January 01, 2009, 08:36:08 PM »

Can you do the following

Access your Add and Remove Programs and remove the following

RON Tool Globaladsolution
You may be prompted to type in a verification code
Do so and click Uninstall
If it prompts of an error and to remove it from the list, please do so

Then,
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color][/url]
by OldTimer

Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES

Then click on [color=\"#0000FF\"]Run Scan [/color]

When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
NOTE: If you do get an error posting this log, please Upload it, but Only if you get an error

In addition, can you navigate to the following file
c:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\user.js
Right click on it and select EDIT
Copy/paste back the contents please

EDIT>

Quote

Should I still be without AntiVirus while we're doing this or should I download one?

No, definitely not, we'll deal with that in a bit
Do you need a free solution or do you have one in mind?

viejo1221 · « **Reply #11 on:** January 01, 2009, 08:55:42 PM »

Removed RON Tool Glo... from list.

I need free anti-virus.

user.js is a blank file now, the lines I deleted were the only ones in there.

OTScanIt2 log post gave error, attached.

guestolo · « **Reply #12 on:** January 01, 2009, 09:02:16 PM »

There's still some files and registry entries to kill
But let me know, are you still having problems with Yoog Search in IE and Firefox

viejo1221 · « **Reply #13 on:** January 01, 2009, 09:06:46 PM »

I just rebooted, then I checked IE and Firefox, no sign of Yoog!

guestolo · « **Reply #14 on:** January 01, 2009, 09:20:06 PM »

Can you delete your copy of ComboFix on desktop and CFScript.txt

Redownload ComboFix from one of the following links
[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
KillAll::
Driver::
TDSSserv
TDSSypjq
File::
c:\windows\system32\drivers\TDSSypjq.sys
c:\windows\system32\TDSSkbnv.dll
c:\windows\system32\TDSSwryg.dat
c:\windows\system32\TDSScrrn.dll
c:\windows\system32\TDSSbvqi.dll
c:\windows\system32\TDSSvoxr.dll
c:\windows\system32\TDSSvouw.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSushc.dll
c:\windows\system32\TDSShhrl.log
c:\windows\system32\TDSSgqrr.log
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..

Can I again see that log in a bit, but for now

Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935
Save the installer to desktop

Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time

NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it

A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"

Quarantine or delete everything it finds
When the scan is finished
Reboot the computer
Back in Windows
1. Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"

2. Post the new log from ComboFix

3. Can you once again, run OTScanit2.exe, enable the Rootkit scan
Post the new log

viejo1221 · « **Reply #15 on:** January 01, 2009, 10:02:39 PM »

I'm still here, just waiting for long Avira scan to finish...

guestolo · « **Reply #16 on:** January 01, 2009, 10:09:42 PM »

I'm just sitting down for a bite to eat. So no panic
I'll be back on later

viejo1221 · « **Reply #17 on:** January 01, 2009, 10:23:24 PM »

Should I turn on Windows Firewall? Do I need to do anything with bad files that were put in Quarantine?

Here are your requests:

Avira AntiVir Personal
Report file date: Thursday, January 01, 2009 20:34

Scanning for 1140430 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: RAFAEL-0F450D52

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 12/24/2008 02:33:38
ANTIVIR2.VDF : 7.1.1.34 2048 Bytes 12/24/2008 02:33:38
ANTIVIR3.VDF : 7.1.1.58 296448 Bytes 1/1/2009 02:33:40
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 1/2/2009 02:33:45
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/2/2009 02:33:44
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 1/2/2009 02:33:44
AEHELP.DLL : 8.1.2.0 119159 Bytes 1/2/2009 02:33:42
AEGEN.DLL : 8.1.1.8 323956 Bytes 1/2/2009 02:33:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 1/2/2009 02:33:40
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, G:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, January 01, 2009 20:34

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'V0270Mon.exe' - '1' Module(s) have been scanned
Scan process 'StartFX.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '56' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\gadcom\gadcom.exe.vir
[DETECTION] Is the TR/Agent.axoc Trojan
[NOTE] The file was moved to '49c180fb.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49c28114.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SRUninstall.exe.vir
[DETECTION] Is the TR/Dldr.Agent.aldb Trojan
[NOTE] The file was moved to '49b280f6.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\SpeedRunner\_SpeedRunner_.exe.zip

Archive type: ZIP

--> SpeedRunner.exe
[DETECTION] Is the TR/Dldr.Agent.alda Trojan
[NOTE] The file was moved to '49cd80f7.qua'!
C:\Qoobox\Quarantine\C\Program Files\GetModule\GetModule32.exe.vir
[DETECTION] Is the TR/Click.MRV Trojan
[NOTE] The file was moved to '49d1810a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv401229907443.cpx.vir

Archive type: NSIS

--> ProgramFilesDir/GetModule32.exe
[DETECTION] Is the TR/Click.MRV Trojan
[NOTE] The file was moved to '49d38116.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000547.exe
[DETECTION] Is the TR/Click.MRV Trojan
[NOTE] The file was moved to '498d80e4.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000558.exe
[DETECTION] Is the TR/Agent.axoc Trojan
[NOTE] The file was moved to '480f6e9d.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000560.exe
[DETECTION] Is the TR/Dldr.Agent.aldb Trojan
[NOTE] The file was moved to '498d80e5.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000571.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '480f6e9e.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000637.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498d80e8.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000638.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '480f6e91.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000639.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498d80e9.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000640.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '480f6e92.qua'!
Begin scan in 'G:\' <My Book>

End of the scan: Thursday, January 01, 2009 21:05
Used time: 30:45 Minute(s)

The scan has been done completely.

11893 Scanning directories
260207 Files were scanned
14 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
14 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
260192 Files not concerned
1192 Archives were scanned
2 Warnings
14 Notes

ComboFix 08-12-31.01 - RAFAEL 2009-01-01 20:25:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.621 [GMT -6:00]
Running from: c:\documents and settings\RAFAEL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RAFAEL\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\TDSSypjq.sys
c:\windows\system32\TDSSbvqi.dll
c:\windows\system32\TDSScrrn.dll
c:\windows\system32\TDSSgqrr.log
c:\windows\system32\TDSShhrl.log
c:\windows\system32\TDSSkbnv.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSushc.dll
c:\windows\system32\TDSSvouw.dll
c:\windows\system32\TDSSvoxr.dll
c:\windows\system32\TDSSwryg.dat
.

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2008-12-31 09:52 . 2008-12-31 09:52   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-31 09:52 . 2008-12-31 09:52   <DIR>   d--------   c:\documents and settings\RAFAEL\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-31 09:52   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-03 19:59   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 09:52 . 2008-12-03 19:59   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-30 20:20 . 2008-12-30 20:20   726,008   --a------   c:\documents and settings\RAFAEL\gotomypc_437.exe
2008-12-30 12:23 . 2008-12-30 12:23   <DIR>   d--------   c:\program files\Trend Micro
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\UltraISO
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\Common Files\EZB Systems
2008-12-17 20:27 . 2008-12-17 20:27   23,600   --a------   c:\windows\system32\drivers\TVICHW32.SYS
2008-12-17 20:18 . 2008-12-17 20:18   0   --a------   c:\windows\ativpsrm.bin
2008-12-17 14:38 . 2008-12-17 22:04   522   --a------   C:\GSMRIAutomation.cfg
2008-12-17 05:48 . 2008-12-17 16:27   <DIR>   d--h-----   C:\MRI_PE_TEMP
2008-12-16 03:13 . 2008-12-17 05:48   <DIR>   d--hs----   C:\$RECYCLE.BIN
2008-12-16 02:41 . 2008-12-16 02:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Geek Squad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 02:49   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\Skype
2009-01-01 00:47   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\skypePM
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee.com
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee
2008-12-30 19:02   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee
2008-12-18 02:07   ---------   d-----w   c:\program files\Google
2008-12-18 02:03   ---------   d-----w   c:\documents and settings\All Users\Application Data\Visual Networks
2008-12-18 01:48   ---------   d-----w   c:\program files\Yahoo!
2008-12-18 01:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-28 20:37   ---------   d-----w   c:\program files\iTunes
2008-11-28 20:37   ---------   d-----w   c:\program files\iPod
2008-11-28 20:37   ---------   d-----w   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 20:36   ---------   d-----w   c:\program files\QuickTime
2008-11-28 20:35   ---------   d-----w   c:\program files\Common Files\Apple
2008-11-26 01:28   ---------   d-----w   c:\program files\Common Files\AnswerWorks 4.0
2008-11-23 20:46   ---------   d-----w   c:\documents and settings\LocalService\Application Data\SACore
2008-11-18 01:25   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\ntr
2008-11-18 00:58   ---------   d-----w   c:\program files\Common Files\Scanner
2008-11-18 00:58   ---------   d-----w   c:\program files\CCleaner
2008-11-15 15:03   36,624   ------w   c:\windows\system32\drivers\pxhelp20.sys
2008-04-01 01:24   32   ----a-w   c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_13.11.44.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 18:00:09   32,768   --sha-w   c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 20:00:31   32,768   --sha-w   c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 18:00:09   16,384   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31   16,384   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-17 00:13:38   149,200   ----a-w   c:\windows\system32\FNTCACHE.DAT
+ 2008-12-31 15:40:29   149,200   ----a-w   c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2006-09-26 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"CTHelper"="CTHELPER.EXE" [2004-03-10 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-02-28 16:15 503808 c:\program files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2008-03-31 225632]
R3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2008-03-31 6912]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {EDE05334-D18B-49FE-9B39-E23C686A2C09} = 4.2.2.1,4.2.2.2

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 20:27:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*_   Â|Â·*NULL*]
@Owner=S-1-5-21-1482476501-1604221776-725345543-1003
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.162.0.0"
"DeviceInstanceIds"=multi:"c:\\dell\\drivers\\r106409\\driver\\2kxp_inf\\cx_25672.inf\00"

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState]
@Owner=Administrator
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState\STSysTray]
@Owner=Administrator
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-01 20:29:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 02:29:09
ComboFix2.txt 2009-01-02 00:50:49
ComboFix3.txt 2008-12-30 19:12:08

Pre-Run: 228,020,449,280 bytes free
Post-Run: 228,003,725,312 bytes free

212   --- E O F ---   2008-12-11 11:26:06

guestolo · « **Reply #18 on:** January 01, 2009, 11:00:25 PM »

Look in Windows Control Panel and check to see the Firewall is enabled
If not, enable it

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the [color=\"#2E8B57\"]Run Fix[/color] button.

Code: [Select]

[Kill Explorer]
[Unregister Dlls]
[Custom Items]
:files
c:\windows\system32\drivers\TDSSypjq.sys
c:\windows\system32\TDSSkbnv.dll
c:\windows\system32\TDSSwryg.dat
c:\windows\system32\TDSScrrn.dll
c:\windows\system32\TDSSbvqi.dll
c:\windows\system32\TDSSvoxr.dll
c:\windows\system32\TDSSvouw.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSushc.dll
c:\windows\system32\TDSShhrl.log
c:\windows\system32\TDSSgqrr.log
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
:reg
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
:end
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

viejo1221 · « **Reply #19 on:** January 01, 2009, 11:08:32 PM »

Process Explorer.EXE killed successfully!
[Custom Items]
========== FILES ==========
File/Folder c:\windows\system32\drivers\TDSSypjq.sys not found.
File/Folder c:\windows\system32\TDSSkbnv.dll not found.
File/Folder c:\windows\system32\TDSSwryg.dat not found.
File/Folder c:\windows\system32\TDSScrrn.dll not found.
File/Folder c:\windows\system32\TDSSbvqi.dll not found.
File/Folder c:\windows\system32\TDSSvoxr.dll not found.
File/Folder c:\windows\system32\TDSSvouw.dll not found.
File/Folder c:\windows\system32\TDSSnmxh.log not found.
File/Folder c:\windows\system32\TDSSushc.dll not found.
File/Folder c:\windows\system32\TDSShhrl.log not found.
File/Folder c:\windows\system32\TDSSgqrr.log not found.
File/Folder c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\ deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\temp\etilqs_WsMIltWFUbiIEhPsS7DV scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.4.2 fix logfile created on 01012009_220455

Files moved on Reboot...
File C:\Documents and Settings\RAFAEL\Local Settings\temp\etilqs_WsMIltWFUbiIEhPsS7DV not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

News:

Author Topic: Yoog, Pop-ups, Desktop disappears, Help! (Read 1264 times)