TechSpot

Everything is redirected when clicking links

By Tired
Oct 15, 2010
  1. Hello, been having trouble browsing especially with google I am constintly sent to different sites then the one I clicked. not sure if they are even real sites. Anyway
    I have just finished my preliminary spyware etc removal steps and I am really not versed enough of this stuff to make sense of the reports so as instructed I am posting them now and hopefully someone will know what to do. Thanks

    *not sure how to post GMER log* sorry

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4840

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    10/15/2010 2:17:08 PM
    mbam-log-2010-10-15 (14-17-08).txt

    Scan type: Quick scan
    Objects scanned: 172153
    Time elapsed: 8 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\All Users.WINDOWS\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.


    DDS (Ver_10-10-10.03) - NTFSx86
    Run by main at 15:36:06.21 on Fri 10/15/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.128 [GMT -6:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\lxdccoms.exe
    C:\WINDOWS\system32\NMSAccess.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\main\My Documents\Downloads\op89sb5c.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\main\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://hotmail.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [lxdcmon.exe] "c:\program files\lexmark 1300 series\lxdcmon.exe"
    mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
    mRun: [LXDCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDCtime.dll,_RunDLLEntry@16
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\main\applic~1\mozilla\firefox\profiles\fbnyb85v.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.theweathernetwork.com/weather/cask0266
    FF - plugin: c:\documents and settings\main\application data\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\main\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_18\bin\NPJava11.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_18\bin\NPJava12.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_18\bin\NPJava131_18.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_18\bin\NPJava32.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_18\bin\NPOJI600.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-9-7 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-7 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-9-7 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-7 56816]
    R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]

    =============== Created Last 30 ================

    2010-10-15 20:06:36 -------- d-----w- c:\docume~1\main\applic~1\Malwarebytes
    2010-10-15 20:06:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 20:06:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-15 20:06:17 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
    2010-10-15 20:06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    ==================== Find3M ====================

    2010-09-11 01:40:55 1409 ----a-w- c:\windows\QTFont.for
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-03 20:21:05 4242412 ----a-w- c:\documents and settings\all users.windows\SPL19.tmp
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

    ============= FINISH: 15:37:03.71 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Tired! We're all tired of malware! But I'll try to help.

    There is an entry I see in the DDS log> can you tell me what this is? It's an executable file that has been included with downloads in My Documents.
    C:\Documents and Settings\main\My Documents\Downloads\op89sb5c.exe

    There is another log in DDS named Attach.txt Please include that in your next reply.

    You have several versions of Java- but not the current v6u21. Old Java programs are a vulnerability, so please update: Check this site. Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    You paste the GMER log in like the other logs. you may have to split it over 2 posts. Be sure you followed this: Warning ! Please, do not select the "Show all" checkbox during the scan.
    =========================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ======================================
    Follow with Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Be sure to paste those logs in also. I'm going to finish checking the DDS log while you do that. If anything needs to be handled right away, I'll put and Edit in the post.
     
  3. Tired

    Tired TS Rookie Topic Starter Posts: 23

    I've attached the "attach" document. the file you asked about is the gmer download, that's where my computer saved it to. Also I downloaded the new version of Java but can't seem to remove any old ones. I tried in add/remove programs, wouldn't let me "install shield engine could not be launched" something like that. let me know if these are the right attachments thanks

    GMER 1.0.15.15319 - http://www.gmer.net
    Rootkit scan 2010-10-15 18:05:20
    Windows 5.1.2600 Service Pack 3
    Running: op89sb5c.exe; Driver: C:\DOCUME~1\main\LOCALS~1\Temp\pxtdapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT F8C14FC6 ZwCreateKey
    SSDT F8C14FBC ZwCreateThread
    SSDT F8C14FCB ZwDeleteKey
    SSDT F8C14FD5 ZwDeleteValueKey
    SSDT F8C14FDA ZwLoadKey
    SSDT F8C14FA8 ZwOpenProcess
    SSDT F8C14FAD ZwOpenThread
    SSDT F8C14FE4 ZwReplaceKey
    SSDT F8C14FDF ZwRestoreKey
    SSDT F8C14FD0 ZwSetValueKey
    SSDT F8C14FB7 ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    ? xicisbt.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF81AA340, 0x130B5F, 0xF8000020]
    .text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x268611, 0xF8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[1372] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B385CB

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  4. Tired

    Tired TS Rookie Topic Starter Posts: 23

    combo fix

    Hi I ran combo fix here is the log. Seems like alot of stuff to go through but thank you so much I don't want to assume it's fixed when it's not.

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2009-1-28 40960]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\BitLord\\BitLord.exe"=
    "c:\\Program Files\\Outlook Express\\msimn.exe"=
    "c:\\WINDOWS\\system32\\lxdccoms.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2009 12:29 AM 108289]
    R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 19:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://hotmail.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\fbnyb85v.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.theweathernetwork.com/weather/cask0266
    FF - plugin: c:\documents and settings\main\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\main\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_18\bin\NPJava11.dll
    FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_18\bin\NPJava12.dll
    FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_18\bin\NPJava131_18.dll
    FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_18\bin\NPJava32.dll
    FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_18\bin\NPOJI600.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-lxdcmon.exe - c:\program files\Lexmark 1300 Series\lxdcmon.exe
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe


    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2608)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nView.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\lxdccoms.exe
    c:\windows\system32\NMSAccess.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-15 18:33:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-16 00:33

    Pre-Run: 42,368,106,496 bytes free
    Post-Run: 42,341,085,184 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - D20F45AA22270297FBFA5A2C57D1806C
     
  5. Tired

    Tired TS Rookie Topic Starter Posts: 23

    here is the last thing you requested

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0301da4504be4e4aaabd4f25ee9bace3
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-16 01:39:43
    # local_time=2010-10-15 07:39:43 (-0600, Central Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1797 16775141 100 100 0 61968595 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=50901
    # found=1
    # cleaned=0
    # scan_time=2355
    C:\Documents and Settings\Dustin & Pam\My Documents\Downloads\VSO ConvertXtoDVD 3.1.1.32+keygen\Keygen\Keygen.exe a variant of Win32/Keygen.AS application 00000000000000000000000000000000 I
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This was a pirated program. I am setting it up to remove the malware entry but you will have to uninstall the program if you want to continue support.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files  
      C:\Documents and Settings\Dustin & Pam\My Documents\Downloads\VSO ConvertXtoDVD 3.1.1.32+keygen\Keygen\Keygen.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    In the irony of the internet, while ripping off the authors of the program trying to get it and not pay the $50.00, you were sent the a variant of the IRCBot family of worms and IRC backdoor Trojans. (keygen.exe)
     
  7. Tired

    Tired TS Rookie Topic Starter Posts: 23

    alright I found the program and deleted it then ran OTMovit. Thankyou for finding that I wasn't even aware we had a folder Dustin & Pam I thought that was from before I reinstalled windows. Is not everything removed when reinstalling windows? (hope that isn't a dumb question, starting to feel pretty dumb) Anyway here is the log

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    File/Folder C:\Documents and Settings\Dustin & Pam\My Documents\Downloads\VSO ConvertXtoDVD 3.1.1.32+keygen\Keygen\Keygen.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: All Users.WINDOWS

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Dustin & Pam
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: main
    ->Temp folder emptied: 570369 bytes
    ->Temporary Internet Files folder emptied: 177806 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 45113828 bytes
    ->Flash cache emptied: 845 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 44.00 mb


    OTM by OldTimer - Version 3.1.16.1 log created on 10172010_174311

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The pirated program had malware with it. I had that removed in OTMoveIt. I don't know when the program was installed- I didn't have any date to reference.

    Please rescan with Combofix and paste in a new logs in next reply. The log you left had part missing. It doesn't start with this:
    When you copy the log in Notepad, please be sure to click on Format> Uncheck 'Word Wrap.' The logs will begin with a Header first at the top. About 1/3 is missing.
     
  9. Tired

    Tired TS Rookie Topic Starter Posts: 23

    Here you go.

    ComboFix 10-10-17.04 - main 10/18/2010 9:20.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.296 [GMT -6:00]
    Running from: c:\documents and settings\main\My Documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
    .

    2010-10-17 23:43 . 2010-10-17 23:43 -------- d-----w- C:\_OTM
    2010-10-15 23:54 . 2010-09-15 10:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-15 23:54 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-15 20:06 . 2010-10-15 20:06 -------- d-----w- c:\documents and settings\main\Application Data\Malwarebytes
    2010-10-15 20:06 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 20:06 . 2010-10-15 20:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-10-15 20:06 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-15 20:06 . 2010-10-15 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ------- Sigcheck -------

    [7] 2006-02-28 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

    c:\windows\System32\drivers\beep.sys ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-17 3022848]
    "nwiz"="nwiz.exe" [2003-11-17 753664]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
    "lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
    "LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2009-1-28 40960]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\BitLord\\BitLord.exe"=
    "c:\\Program Files\\Outlook Express\\msimn.exe"=
    "c:\\WINDOWS\\system32\\lxdccoms.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2009 12:29 AM 108289]
    R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 19:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://hotmail.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\fbnyb85v.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.theweathernetwork.com/weather/cask0266
    FF - plugin: c:\documents and settings\main\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\main\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    .
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3116)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nView.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-10-18 09:27:21
    ComboFix-quarantined-files.txt 2010-10-18 15:27
    ComboFix2.txt 2010-10-16 00:33

    Pre-Run: 46,501,920,768 bytes free
    Post-Run: 46,491,598,848 bytes free

    - - End Of File - - 562DAABF1BF7F8DE2BB412D8A4ACD64D
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    How are you doing with the redirects? Any improvement?

    You may have to replace a missing file: but let's see if it can be found anywhere on the system:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      beep.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    After that, download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  11. Tired

    Tired TS Rookie Topic Starter Posts: 23

    the redirect is fixed, I think it has been since combofix. Thanks so much for that. So happy to be getting this computer cleaned up great directions. Here are the two logs you requested.

    SystemLook 04.09.10 by jpshortstuff
    Log created at 14:05 on 19/10/2010 by main
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "beep.*"
    C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir --a---- 4224 bytes [12:00 28/02/2006] [12:00 28/02/2006] DA1F27D85E0D1525F6621372E7B685E9
    C:\WINDOWS\system32\dllcache\beep.sys --a--c- 4224 bytes [12:00 28/02/2006] [12:00 28/02/2006] DA1F27D85E0D1525F6621372E7B685E9

    -= EOF =-

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:09:48 PM, on 10/19/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\lxdccoms.exe
    C:\WINDOWS\system32\NMSAccess.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
    O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - Global Startup: PHOTOfunSTUDIO -viewer-.lnk = C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
    O23 - Service: NMSAccess - Unknown owner - C:\WINDOWS\system32\NMSAccess.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5227 bytes
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript> I'm not sure it will work for the beep entry but give it a try.

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    FCopy::
    C:\WINDOWS\system32\dllcache\beep.sys| C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/


    Close all Windows except HJT and click on "Fix Checked"

    You might want to take the printer and camera off of startup. save the resources for when you need them.

    Let me know if all is resolved and I'll have you remove the cleaning tools.
     
  13. Tired

    Tired TS Rookie Topic Starter Posts: 23

    Thanks so much for all your help. As far as I know everything is resolved. Here is the last log you wanted. So if it all looks good to you I'll remove all those cleaning tools thanks.

    ComboFix 10-10-25.04 - main 10/26/2010 13:15:55.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.329 [GMT -6:00]
    Running from: c:\documents and settings\main\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\main\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    --------------- FCopy ---------------

    c:\windows\system32\dllcache\beep.sys --> c:\qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-26 to 2010-10-26 )))))))))))))))))))))))))))))))
    .

    2010-10-19 20:09 . 2010-10-19 20:09 388096 ----a-r- c:\documents and settings\main\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-19 20:09 . 2010-10-19 20:09 -------- d-----w- c:\program files\Trend Micro
    2010-10-17 23:43 . 2010-10-17 23:43 -------- d-----w- C:\_OTM
    2010-10-15 23:54 . 2010-09-15 10:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-15 23:54 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-15 20:06 . 2010-10-15 20:06 -------- d-----w- c:\documents and settings\main\Application Data\Malwarebytes
    2010-10-15 20:06 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 20:06 . 2010-10-15 20:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-10-15 20:06 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-15 20:06 . 2010-10-15 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-15 08:29 . 2009-01-28 16:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-11 01:40 . 2010-09-11 01:40 1409 ----a-w- c:\windows\QTFont.for
    2010-08-17 13:17 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-03 20:21 . 2010-08-03 20:21 4242412 ----a-w- c:\documents and settings\All Users.WINDOWS\SPL19.tmp
    .

    ------- Sigcheck -------

    [7] 2006-02-28 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

    c:\windows\System32\drivers\beep.sys ... is missing !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-10-18_15.25.21 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-26 04:17 . 2010-10-26 04:17 16384 c:\windows\temp\Perflib_Perfdata_48c.dat
    + 2010-10-19 20:09 . 2010-10-19 20:09 1094656 c:\windows\Installer\987e1ef.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-17 3022848]
    "nwiz"="nwiz.exe" [2003-11-17 753664]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
    "lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
    "LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2009-1-28 40960]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\BitLord\\BitLord.exe"=
    "c:\\Program Files\\Outlook Express\\msimn.exe"=
    "c:\\WINDOWS\\system32\\lxdccoms.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2009 12:29 AM 108289]
    R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 19:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://hotmail.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\fbnyb85v.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.theweathernetwork.com/weather/cask0266
    FF - plugin: c:\documents and settings\main\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\main\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-26 13:20
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2328)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nView.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-10-26 13:22:35
    ComboFix-quarantined-files.txt 2010-10-26 19:22
    ComboFix2.txt 2010-10-18 15:27
    ComboFix3.txt 2010-10-16 00:33

    Pre-Run: 46,312,464,384 bytes free
    Post-Run: 46,314,078,208 bytes free

    - - End Of File - - E601CB2E771BA933ABE4F357B658ADCD
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Almost, not quite:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files 
      c:\documents and settings\All Users.WINDOWS\SPL*.tmp
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  15. Tired

    Tired TS Rookie Topic Starter Posts: 23

    here is OTM log, I am removing toold as instructed. ty

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    c:\documents and settings\All Users.WINDOWS\SPL19.tmp moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: All Users.WINDOWS

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Dustin & Pam
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: main
    ->Temp folder emptied: 57429 bytes
    ->Temporary Internet Files folder emptied: 161925 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 42984085 bytes
    ->Flash cache emptied: 4717 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 41.00 mb


    OTM by OldTimer - Version 3.1.17.1 log created on 10272010_111933
     
  16. Tired

    Tired TS Rookie Topic Starter Posts: 23

    HI I followed your tool removal instructions and it doesn't seem to have gotten rid of everything. notepad files are still there, Hijack this is still there and Malewarebytes is still there. Are these things that should still be there? I'm fine to remove them on my own just not sure if they were supposed to be taken care of as well. Also when I ran the system tools clean up recycle bin remained empty.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can go ahead and remove any remaining programs or logs from the cleaning. I tell everyone to empty the recycle bin because sometimes infected files get deleted but the trash doesn't get emptied!

    Let me know if you have any more questions.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...