Inactive Browser hijack - search redirects

[hitch]

Whenever I search in google I get redirected.

"Rogerwaters.us" , "find-fast-answers.com" , "answers.nixxie.com"

Used debugger, disabled, and restart.


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-16 10:13:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\DBEE0008d01
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\C72BFEAEd01
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\9221CF9Fd01
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\E69F64C8d01 48846 bytes
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\54959B7Ed01

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 5

read file error: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\DBEE0008d01, The system cannot find the file specified.
read file error: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\C72BFEAEd01, The system cannot find the file specified.
read file error: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\9221CF9Fd01, The system cannot find the file specified.
read file error: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\E69F64C8d01, The system cannot find the file specified.
read file error: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\Cache\54959B7Ed01, The system cannot find the file specified.

 

[Bobbye]

Clear the Firefox cache manually:

1. At the top of the Firefox window, click on Tools> Options>
2. Select the Advanced panel.
3. Click on the Network tab.
4. In the Offline Storage section, click Clear Now.

Image courtesy Mozilla support.
5. Click OK to close .
=========================================
Recommend you set Firefox to automatically clear the cache when Firefox closes:

1. At the top of the Firefox window, click Tools> Options>
2. Select the Privacy panel.
3. In the History section, set Firefox to Use custom settings for history.
Set HX for only a few days (mine is 3)
Check 'accept Cookies from sites.'
4. Select the check box for Clear history when Firefox closes.
Note: NO other checks in this section
5. Settings for #4: Check all of the following:
Browsing HX
Form & Search HX
Cache
In Data> Check Offline website data.
Close

 

[hitch]

Okay, I just did that. Should I reboot?

Also, now it's like my firefox is reallly slow to open up. And when I do CTRL ALT DELETE I see a program called "search indexer" , "plugin container" , and my firefox is taking up 198k memory that seems a little hi for one window?

Please advise.

Thanks for your continued help.

 

[Bobbye]

Just so you don't feel alone: I have just this one tab open in Firefox. The memory is up to 194,000k. I like this browser a lot and have been using it for years. The one thing that has never improved is the memory usage. I have opened the Task Manager at times to see 300,000k memory use. I have very few addons- none are for cosmetic 'stuff.'

With Windows, you have to reboot occasionally to free up RAM. And when my FF gets high in memory, I just close, then reopen it.

Your Firefox is going to be slow to open because it has to load 6 plug-ins and 8 extensions! You might want to review those and drop a few of them.

If the CD Emulator(s) has been removed, please run a new Combofix scam. I can guide you into disabling the Search Indexer, but otherwise, if malware is gone and the browser is carrying the same load, I cannot make it go faster!
By the way, did you know that if you did a right click on the Taskbar and choose Task Manager you wouldn't have to spread you hand across the keyboard to do Ctrl/Alt/ Del!

 

[hitch]

ComboFix 11-07-17.03 - Administrator 07/17/2011 21:10:57.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.657 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-18 to 2011-07-18 )))))))))))))))))))))))))))))))
.
.
2011-07-17 23:56 . 2011-07-18 04:03 -------- d-----w- C:\32788R22FWJFW
2011-07-12 05:22 . 2011-07-12 05:22 -------- d-----w- c:\program files\ESET
2011-07-10 02:02 . 2011-07-10 02:02 -------- d-----w- c:\program files\NCH Software
2011-07-10 02:01 . 2011-07-10 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2011-07-10 02:01 . 2011-07-10 02:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Swift Sound
2011-07-10 02:01 . 2011-07-10 02:01 -------- d-----w- c:\program files\NCH Swift Sound
2011-07-05 00:32 . 2011-07-05 00:32 -------- d-----w- c:\program files\Common Files\Java
2011-07-05 00:32 . 2011-07-05 00:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-05 00:04 . 2011-07-05 00:31 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-05 00:04 . 2011-07-05 00:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-03 18:14 . 2011-07-05 23:05 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-03 18:14 . 2011-07-05 23:05 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-03 18:14 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-03 18:14 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-03 18:14 . 2011-07-03 18:14 -------- d-----w- c:\program files\Avira
2011-07-03 18:14 . 2011-07-03 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 16:11 . 2010-08-06 19:54 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-08-06 19:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-03_23.54.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-18 02:30 . 2011-07-18 02:30 16384 c:\windows\Temp\Perflib_Perfdata_1cc.dat
+ 2011-07-05 00:32 . 2011-07-05 00:31 157472 c:\windows\system32\javaws.exe
+ 2011-07-05 00:32 . 2011-07-05 00:31 145184 c:\windows\system32\javaw.exe
- 2010-01-20 13:28 . 2010-01-20 13:28 145184 c:\windows\system32\javaw.exe
+ 2011-07-05 00:32 . 2011-07-05 00:31 145184 c:\windows\system32\java.exe
- 2010-01-20 13:28 . 2010-01-20 13:28 145184 c:\windows\system32\java.exe
+ 2011-07-05 00:32 . 2011-07-05 00:32 203776 c:\windows\Installer\69819b.msi
+ 2011-07-05 00:31 . 2011-07-05 00:31 675840 c:\windows\Installer\698196.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aliim"="c:\program files\trademanager\aliim.exe" [2011-03-02 214424]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2009-08-27 614400]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-03-24 599328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA&inst=NwA3AC0ANAA4ADcANQA4ADkAMwAyADkALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA&prod=90&ver=9.0.894" [?]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-11-9 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\jre6\bin\jusched.exe [BU]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\trademanager\\AliIM.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2198:UDP"= 2198:UDP:Windows Media Format SDK (firefox.exe)
"2199:UDP"= 2199:UDP:Windows Media Format SDK (firefox.exe)
"2228:UDP"= 2228:UDP:Windows Media Format SDK (firefox.exe)
"2229:UDP"= 2229:UDP:Windows Media Format SDK (firefox.exe)
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/3/2011 11:14 AM 136360]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 4:18 AM 360224]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-10 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-10 02:01]
.
2011-07-13 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-10 02:01]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\SmarThru 4\WebCapture.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 173.208.22.140
FF - prefs.js: network.proxy.http_port - 49353
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-17 21:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\program files\Microsoft Silverlight\xapauthenticodesip.dll
.
Completion time: 2011-07-17 21:56:15
ComboFix-quarantined-files.txt 2011-07-18 04:55
ComboFix2.txt 2011-07-04 22:54
ComboFix3.txt 2011-07-04 00:09
.
Pre-Run: 4,604,297,216 bytes free
Post-Run: 4,589,277,184 bytes free
.
- - End Of File - - 66F446EFA488591F9ABF5003C1827E84

 

[Bobbye]

I can't find a rootkit. I will have you run these to see if they turn up anything:

Download CKScanner and save to your desktop.

• Double click CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
  in your next reply.

===============================================
Please download MBRCheck and save to your desktop

• Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  [o] Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  [o] Found non-standard or infected MBR.
  [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Paste this log to your next message.

================================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Unfortunately, all those programs you ran may have caused a rootkit to be modified just enough that the scans you're doing now aren't picking it up. Logs in next reply please.

 

[hitch]

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\administrator\my documents\downloads\rosetta.stone.v.3.3.5.plus.language.packs\rosetta.stone.v3.3.5.setup\rosetta.stone.setup\crack\rosettastoneversion3.exe
c:\documents and settings\administrator\my documents\downloads\seops\seo powersuite\crack.txt
scanner sequence 3.LB.11.FANAHM
----- EOF -----

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000006d

Kernel Drivers (total 126):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7B0D000 \WINDOWS\system32\KDCOM.DLL
0xF7A1D000 \WINDOWS\system32\BOOTVID.dll
0xF75BE000 ACPI.sys
0xF7B0F000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF75AD000 pci.sys
0xF760D000 isapnp.sys
0xF7BD5000 pciide.sys
0xF788D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7B11000 intelide.sys
0xF761D000 MountMgr.sys
0xF758E000 ftdisk.sys
0xF7B13000 dmload.sys
0xF7568000 dmio.sys
0xF7895000 PartMgr.sys
0xF762D000 VolSnap.sys
0xF7550000 atapi.sys
0xF763D000 disk.sys
0xF764D000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7530000 fltMgr.sys
0xF751E000 sr.sys
0xF765D000 PxHelp20.sys
0xF7507000 KSecDD.sys
0xF747A000 Ntfs.sys
0xF744D000 NDIS.sys
0xF7433000 Mup.sys
0xF782D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6F5D000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6F49000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6F1F000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF792D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6EFB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7935000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6EBB000 \SystemRoot\system32\drivers\smwdm.sys
0xF6E97000 \SystemRoot\system32\drivers\portcls.sys
0xF784D000 \SystemRoot\system32\drivers\drmk.sys
0xF6E74000 \SystemRoot\system32\drivers\ks.sys
0xF6DC1000 \SystemRoot\system32\drivers\senfilt.sys
0xF793D000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6DAD000 \SystemRoot\system32\DRIVERS\parport.sys
0xF785D000 \SystemRoot\system32\DRIVERS\serial.sys
0xF73DA000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF786D000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF787D000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7CE9000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF767D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AB1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6D96000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF768D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF769D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7945000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6D85000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76AD000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF794D000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7955000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6D55000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76BD000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF795D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7965000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B83000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6CF7000 \SystemRoot\system32\DRIVERS\update.sys
0xF707E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF770D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF772D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B85000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79CD000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7BAF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C11000 \SystemRoot\System32\Drivers\Null.SYS
0xF7BB1000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79DD000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79E5000 \SystemRoot\System32\drivers\vga.sys
0xF7BB3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BB5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79ED000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79F5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7B09000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA665000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA60C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA5E4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA5BE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA59C000 \SystemRoot\System32\drivers\afd.sys
0xAAEEC000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7A05000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xAA459000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA3E9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAAECC000 \SystemRoot\System32\Drivers\Fips.SYS
0xAAEBC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF78A5000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF78DD000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA97A7000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xAAE6C000 \SystemRoot\system32\drivers\usbaudio.sys
0xAAE4C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAAD95000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7BC3000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xAA85F000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF78ED000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAA84F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAA843000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9F4AA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA0627000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9F492000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA12B3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0x9FCCC000 \SystemRoot\System32\drivers\Dxapi.sys
0xA07F1000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xA4C31000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E5000 \SystemRoot\System32\ialmdnt5.dll
0xBF9D6000 \SystemRoot\System32\ialmrnt5.dll
0xBFA07000 \SystemRoot\System32\ialmdev5.DLL
0xBFA42000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x9F47B000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xF77BD000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xAA85B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9F40B000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA4FC000 \SystemRoot\system32\drivers\sysaudio.sys
0x9F215000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7BA5000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAAD05000 \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys
0x9F14B000 \SystemRoot\system32\DRIVERS\srv.sys
0x9EC72000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7B1F000 \SystemRoot\system32\drivers\splitter.sys
0x9E420000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
604 C:\WINDOWS\system32\smss.exe
652 csrss.exe
676 C:\WINDOWS\system32\winlogon.exe
720 C:\WINDOWS\system32\services.exe
732 C:\WINDOWS\system32\lsass.exe
920 C:\WINDOWS\system32\svchost.exe
988 svchost.exe
1084 C:\WINDOWS\system32\svchost.exe
1188 svchost.exe
1376 svchost.exe
1492 C:\WINDOWS\system32\spoolsv.exe
1548 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1796 C:\WINDOWS\explorer.exe
1912 C:\Program Files\Analog Devices\Core\smax4pnp.exe
1928 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
1944 C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
2024 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2044 C:\Program Files\Common Files\Java\Java Update\jusched.exe
172 C:\Program Files\trademanager\AliIM.exe
272 svchost.exe
476 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
520 C:\Program Files\Java\jre6\bin\jqs.exe
376 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1148 C:\WINDOWS\system32\svchost.exe
1280 C:\WINDOWS\system32\searchindexer.exe
1316 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1212 C:\WINDOWS\system32\wscntfy.exe
3136 alg.exe
3952 wmiprvse.exe
1048 C:\Documents and Settings\Administrator\Application Data\mjusbsp\magicJack.exe
2528 C:\WINDOWS\system32\WISPTIS.EXE
2576 C:\Program Files\Mozilla Firefox\firefox.exe
3180 C:\Program Files\Mozilla Firefox\plugin-container.exe
308 C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
3604 C:\Program Files\TechSmith\Camtasia Studio 7\TscHelp.exe
192 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
3780 C:\Program Files\Internet Explorer\iexplore.exe
1792 C:\Program Files\Internet Explorer\iexplore.exe
2620 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST340014AS, Rev: 8.12

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 38BE7869FCCF026F920DA4A541B12E68993C36ED


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:05:28 PM, on 7/20/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\trademanager\aliim.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\TechSmith\Camtasia Studio 7\TSCHelp.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAA4ADcANQA4ADkAMwAyADkALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA"&"prod=90"&"ver=9.0.894
O4 - HKCU\..\Run: [aliim] C:\Program Files\trademanager\aliim.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files\SmarThru 4\WebCapture.dll2.htm
O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files\SmarThru 4\WebCapture.dll1.htm
O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files\SmarThru 4\WebCapture.dll.htm
O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files\SmarThru 4\WebCapture.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6132 bytes

 

[Bobbye]

Sorry for delay- juggling a lot of threads. Thanks for reminder.

We are going to have to replace the MBR. It can either be done by booting into the Recovery Console and using a command prompt. Or it can be done using the Windows CD.

Do you have a preference. It's not hard- there are several steps in either way.

 

[hitch]

Command Console method will be fine.

What is the MBR?

Thanks

 

[Bobbye]

MBR is the Master Boot Record. Some details here: http://en.wikipedia.org/wiki/Master_boot_record
================================================
To start the Recovery Console when it is installed on your hard drive you would do the following:

1. Reboot your computer and as Windows starts it will present you with your startup options as shown in the figure below. Note: You may have to press F1 as Windows starts to load to get these choices.
   
   
2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter.
3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
4. Then you are prompted for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password , let me know.
5. If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
6. Type in fixmbr> then press enter.
7. Important! Restart your PC for the fix to take effect.

 

[hitch]

Yay, that worked. I can now search with no redirect.

What should I do to protect myself? what is the best virus program, are any o them even effective? It seems like even though I have all this protection i still end up and get viruses every now and then

 

[Bobbye]

This is always what I start off with when I get this question:
The user is the first line of security. If you don't practice safe surfing and safe email handling, no matter how much or what security you have, you will get malware.

My recommendation for antivirus: If you don't pay for anything else, IMO this is the one software program worth all the pennies. I don't use any 'suites'- all stand alone programs. I have the paid Nod32 AV. It is easily configured, non-obtrusive when it updates and will not- absolutely not load a site on their 'blocked' list. I use a router which has a hardware firewall and most of the programs/processes below:
One of the most important security additions is a reliable site advisor. You would be amazed at how many of the site you can bring up in a search are rated as 'bad'! I use WOT. (see below)

Tips for added security and safer browsing: (Links are in Bold Blue)

1. Browser Security
   [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
   [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
   [o] Replace the Host Files
   [o] Google Toolbar Pop Up Blocker
   [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
   
2. Have layered Security:
   [o]Antivirus :(only one):Both of the following programs are free and known to be good:
   [o]Avira-AntiVir-Personal-Free-Antivirus
   [o] [o]Avast-Free Antivirus
   [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
   [o]Comodo
   [o]Zone Alarm
   
3. Antimalware: I recommend all of the following:
   [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
   [o]Spybot Search & Destroy
   
4. Updates: Stay current:
   [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
   [o]Adobe Reader Install current, uninstall old.
   [o]Java Updates Install current, uninstall old.
   
5. Tracking Cookies
   Reset Cookie:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   
6. Do regular Maintenance
   Clean the temporary internet files often:
   [o] ATF Cleaner by Atribune
7. Restore Points:
   [o]See System Restore Guide
8. Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.
======================================
Please update and run a new scan with Combofix- let's make sure the rootkit is gone and the MBR is good.

 

[hitch]

thank you for the great info, here is the combo fix log:

ComboFix 11-07-29.03 - Administrator 07/29/2011 20:18:01.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.624 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))
.
.
2011-07-12 05:22 . 2011-07-12 05:22 -------- d-----w- c:\program files\ESET
2011-07-10 02:02 . 2011-07-10 02:02 -------- d-----w- c:\program files\NCH Software
2011-07-10 02:01 . 2011-07-10 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2011-07-10 02:01 . 2011-07-10 02:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Swift Sound
2011-07-10 02:01 . 2011-07-10 02:01 -------- d-----w- c:\program files\NCH Swift Sound
2011-07-05 00:32 . 2011-07-05 00:32 -------- d-----w- c:\program files\Common Files\Java
2011-07-05 00:32 . 2011-07-05 00:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-05 00:04 . 2011-07-05 00:31 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-05 00:04 . 2011-07-05 00:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-03 18:14 . 2011-07-05 23:05 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-03 18:14 . 2011-07-05 23:05 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-03 18:14 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-03 18:14 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-03 18:14 . 2011-07-03 18:14 -------- d-----w- c:\program files\Avira
2011-07-03 18:14 . 2011-07-03 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 16:11 . 2010-08-06 19:54 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-08-06 19:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-03_23.54.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-29 21:46 . 2011-07-29 21:46 16384 c:\windows\Temp\Perflib_Perfdata_16c.dat
+ 2011-07-05 00:32 . 2011-07-05 00:31 157472 c:\windows\system32\javaws.exe
+ 2011-07-05 00:32 . 2011-07-05 00:31 145184 c:\windows\system32\javaw.exe
- 2010-01-20 13:28 . 2010-01-20 13:28 145184 c:\windows\system32\javaw.exe
+ 2011-07-05 00:32 . 2011-07-05 00:31 145184 c:\windows\system32\java.exe
- 2010-01-20 13:28 . 2010-01-20 13:28 145184 c:\windows\system32\java.exe
+ 2011-07-05 00:32 . 2011-07-05 00:32 203776 c:\windows\Installer\69819b.msi
+ 2011-07-05 00:31 . 2011-07-05 00:31 675840 c:\windows\Installer\698196.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aliim"="c:\program files\trademanager\aliim.exe" [2011-03-02 214424]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2009-08-27 614400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-03-24 599328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA&inst=NwA3AC0ANAA4ADcANQA4ADkAMwAyADkALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA&prod=90&ver=9.0.894" [?]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-11-9 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\jre6\bin\jusched.exe [BU]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\trademanager\\AliIM.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2198:UDP"= 2198:UDP:Windows Media Format SDK (firefox.exe)
"2199:UDP"= 2199:UDP:Windows Media Format SDK (firefox.exe)
"2228:UDP"= 2228:UDP:Windows Media Format SDK (firefox.exe)
"2229:UDP"= 2229:UDP:Windows Media Format SDK (firefox.exe)
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/3/2011 11:14 AM 136360]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 4:18 AM 360224]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-10 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-10 02:01]
.
2011-07-13 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-10 02:01]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\SmarThru 4\WebCapture.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b3v9e96f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 173.208.22.140
FF - prefs.js: network.proxy.http_port - 49353
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-29 20:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-29 20:35:31
ComboFix-quarantined-files.txt 2011-07-30 03:35
ComboFix2.txt 2011-07-18 04:56
ComboFix3.txt 2011-07-04 22:54
ComboFix4.txt 2011-07-04 00:09
.
Pre-Run: 3,507,318,784 bytes free
Post-Run: 3,940,433,920 bytes free
.
- - End Of File - - 45F25F46A2ADE676FBFD71620490E4E2

 

[Bobbye]

Did we previously discuss any of this?

1. Does your ISP require a proxy? If not, do the following:
Reset your browser proxies

• For Firefox:
  o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
  o Click on the "Network" tab, and then on the "Settings" button.
  o Please make sure that the "No Proxy" option is selected.
• For Internet Explorer:
  o Open Internet Explorer.
  o Click on "Tools" and then select "Internet Options".
  o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
  o Uncheck "Use a Proxy server for your LAN".
  o Click Ok to close the Local Area Network (LAN) Settings window.
  o Click Ok to close the Internet Options window.

2. Did I discuss the dangers of file sharing and suggest you uninstall Bit Comet? If not:
P2P [Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall b]Bit Comet[/b]for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
================================================
3. Did I suggest you remove the Conduit Engine and any conduit toolbars?
4. Have I previous attempted to change the search page in Firefox from Conduit to default?
5. Did I ask you why you have scheduled tasks for the NCH Swift Sound WavePad Seven Days & WavePad Shake Icon and suggest that you 'unschedule' both.
6. Have you decided whether you will reinstall AVG or keep other

Please give me the answers. Update and rescan with HJT and we'll finish up. No sign of rootkit.

Please forgive if I'm repeating.

 

[hitch]

Hello,
I think I will install AVG.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:39:21 PM, on 8/2/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\trademanager\AliIM.exe
C:\Documents and Settings\Administrator\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\TechSmith\Camtasia Studio 7\TSCHelp.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAA4ADcANQA4ADkAMwAyADkALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA"&"prod=90"&"ver=9.0.894
O4 - HKCU\..\Run: [aliim] C:\Program Files\trademanager\aliim.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files\SmarThru 4\WebCapture.dll2.htm
O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files\SmarThru 4\WebCapture.dll1.htm
O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files\SmarThru 4\WebCapture.dll.htm
O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files\SmarThru 4\WebCapture.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6174 bytes

 

[Bobbye]

Reopen HijackThis to 'do system scan only. Check the following:
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...FYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUg AtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAA4ADcANQA4ADkAMwAyADkALQ BGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0AWABPADkAKwAxAC0ARgA5A E0AMgArADEALQBEAEQAVAArADAA"&"prod=90"&"ver=9.0.894

Close all Windows except HijackThis and click on "Fix Checked"
========================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin