Dummy needs help with a virus

[Southerndaisy]

Ok I really don't know that much about computers but when I try to click on a link while doing a Google search I'm redirected to some other site. After much searching I found this site and I see others are having the same issue only those people seem to know something about computers in the first place. Can someone please help me to fix this virus issue or help me to walk through it. This is my work computer and we are a small business with no IT person. Any help would be useful and please remember to talk to me as though I'm a child beacuse I really don't know much other then this is a virus or somthing and that it's very irratating.

 

[kritius]

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


[CENTER]

[/CENTER]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

 

[Southerndaisy]

After the scan none of my items came back on my screen. I logged off and then back on and all was fine but when I opened up my inbox it said that it wasn't the default and the same with internet exployer. I'm including the log for you

 

[kritius]

Is that the full log?

I think that there is some information missing at the bottom.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=-

Driver::

DDS::
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=GRxdm016YYUS

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==============================================


Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please copy and paste the contents of the following in your next reply:

DDS.txt

Please attach the second file;


==============================================

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • C:\WINDOWS\system32\tdlwsp.dll
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

 

[Southerndaisy]

Sorry, I didn't wait for the log pop up. Here's the CFScript.txt I tried to move it to the ComboFix.txt but it want to run it again and I wasn't sure if I should so it's just saved on the desktop.

ComboFix 09-11-03.03 - johnlin 11/04/2009 12:51.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.692 [GMT -5:00]
Running from: c:\documents and settings\johnlin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\system32\drivers\1028_DELL_XPS_Dell DV051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DV051 .MRK

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 17:37 . 2009-11-04 17:37 -------- d-sh--w- c:\documents and settings\johnlin\IECompatCache
2009-11-04 17:36 . 2009-11-04 17:36 -------- d-sh--w- c:\documents and settings\johnlin\PrivacIE
2009-11-04 17:36 . 2009-11-04 17:36 -------- d-sh--w- c:\documents and settings\johnlin\IETldCache
2009-11-04 17:35 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-04 17:35 . 2009-11-04 17:35 -------- d-----w- c:\windows\ie8updates
2009-11-04 17:34 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-04 17:34 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-04 17:33 . 2009-11-04 17:34 -------- dc-h--w- c:\windows\ie8
2009-11-04 17:08 . 2009-11-04 17:08 -------- d-----w- c:\documents and settings\johnlin\Local Settings\Application Data\Identities
2009-11-03 14:45 . 2009-11-03 14:45 21504 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-30 15:51 . 2009-10-30 15:52 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-20 14:45 . 2009-10-20 14:45 -------- d-----w- c:\documents and settings\johnlin\Application Data\AdobeUM
2009-10-20 14:44 . 2009-10-20 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-10-20 14:43 . 2009-10-20 14:43 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-09 17:02 . 2009-10-09 17:02 -------- d-----w- c:\program files\VS Revo Group
2009-10-05 18:29 . 2009-10-22 19:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 17:36 . 2009-09-18 17:45 -------- d-----w- c:\documents and settings\johnlin\Application Data\Nitro PDF
2009-11-02 14:06 . 2009-02-03 22:22 56784 ----a-w- c:\documents and settings\johnlin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-30 17:54 . 2009-01-22 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-30 17:53 . 2009-01-22 00:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-29 17:10 . 2009-05-11 17:52 -------- d-----w- c:\documents and settings\johnlin\Application Data\Move Networks
2009-10-21 15:22 . 2009-01-22 16:11 -------- d-----w- c:\documents and settings\lewis.OCEANWAVES\Application Data\uTorrent
2009-10-21 15:22 . 2009-01-22 16:01 -------- d-----w- c:\documents and settings\kellyc.OCEANWAVES\Application Data\uTorrent
2009-10-20 14:43 . 2009-02-16 16:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-14 22:01 . 2009-06-16 18:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-21 18:09 . 2009-09-21 18:09 -------- d-----w- c:\program files\MSBuild
2009-09-21 18:09 . 2009-09-21 18:09 -------- d-----w- c:\program files\Reference Assemblies
2009-09-18 17:44 . 2009-09-18 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2009-09-18 17:44 . 2009-09-18 17:44 -------- d-----w- c:\program files\Nitro PDF
2009-09-18 17:44 . 2009-09-18 17:44 -------- d-----w- c:\program files\Common Files\Nitro PDF
2009-09-18 17:34 . 2009-09-18 17:34 -------- d-----w- c:\documents and settings\johnlin\Application Data\Downloaded Installations
2009-09-15 14:17 . 2009-09-15 14:17 61760 ----a-w- c:\windows\system32\ASTSRV.EXE
2009-09-15 14:16 . 2009-09-18 17:44 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2009-09-15 14:15 . 2009-09-18 17:44 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:24 . 2009-01-21 23:50 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2009-01-21 23:50 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2009-01-21 23:50 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-10-16 22:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2009-01-21 23:50 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2009-01-21 23:50 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-01-22 14:35 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-01-22 14:35 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-01-21 23:50 1929952 ----a-w- c:\windows\system32\wuaueng.dll

 

[Southerndaisy]

.

((((((((((((((((((((((((((((( SnapShot@2009-11-04_17.05.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 17:41 . 2009-11-04 17:41 16384 c:\windows\temp\Perflib_Perfdata_50c.dat
+ 2009-01-22 08:00 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe
+ 2009-05-13 17:25 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll
+ 2006-03-04 03:33 . 2009-03-08 09:31 46592 c:\windows\system32\pngfilt.dll
- 2006-06-29 13:05 . 2006-06-29 13:05 23552 c:\windows\system32\normaliz.dll
+ 2006-06-29 13:05 . 2009-01-07 23:20 23552 c:\windows\system32\normaliz.dll
- 2006-06-28 22:59 . 2006-06-28 22:59 24576 c:\windows\system32\nlsdl.dll
+ 2006-06-28 22:59 . 2009-01-07 23:20 24576 c:\windows\system32\nlsdl.dll
+ 2004-08-04 10:00 . 2009-03-08 09:31 48128 c:\windows\system32\mshtmler.dll
- 2004-08-04 10:00 . 2007-08-13 23:01 48128 c:\windows\system32\mshtmler.dll
+ 2006-03-04 03:33 . 2009-03-08 09:31 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-04 10:00 . 2009-03-08 09:31 45568 c:\windows\system32\mshta.exe
- 2004-08-04 10:00 . 2007-08-13 23:32 45568 c:\windows\system32\mshta.exe
+ 2007-08-13 23:36 . 2009-03-08 09:31 13312 c:\windows\system32\msfeedssync.exe
+ 2007-08-13 23:54 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-04 10:00 . 2009-03-08 09:34 43008 c:\windows\system32\licmgr10.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
+ 2006-03-04 03:33 . 2009-03-08 09:32 94720 c:\windows\system32\inseng.dll
+ 2004-08-04 10:00 . 2009-03-08 09:31 34816 c:\windows\system32\imgutil.dll
+ 2007-08-13 23:39 . 2009-03-08 09:32 36864 c:\windows\system32\ieudinit.exe
+ 2004-08-04 10:00 . 2009-03-08 09:32 71680 c:\windows\system32\iesetup.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 55808 c:\windows\system32\iernonce.dll
- 2006-06-29 13:05 . 2006-06-29 13:05 26112 c:\windows\system32\idndl.dll
+ 2006-06-29 13:05 . 2009-01-07 23:20 26112 c:\windows\system32\idndl.dll
+ 2007-08-13 23:36 . 2009-03-08 09:31 59904 c:\windows\system32\icardie.dll
+ 2006-03-04 03:33 . 2009-03-08 09:31 46592 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-04 10:00 . 2007-08-13 23:01 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2004-08-04 10:00 . 2009-03-08 09:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2006-03-04 03:33 . 2009-03-08 09:31 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-04 10:00 . 2007-08-13 23:32 45568 c:\windows\system32\dllcache\mshta.exe
+ 2004-08-04 10:00 . 2009-03-08 09:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-01-23 16:36 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 10:00 . 2009-03-08 09:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-03-04 03:33 . 2009-03-08 09:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2004-08-04 10:00 . 2009-03-08 09:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2009-01-23 16:36 . 2009-03-08 09:31 59904 c:\windows\system32\dllcache\icardie.dll
+ 2009-01-21 23:49 . 2009-03-08 09:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2009-06-29 16:12 . 2009-03-08 09:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2004-08-04 10:00 . 2009-03-08 09:33 18944 c:\windows\system32\corpol.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 72704 c:\windows\system32\admparse.dll
+ 2009-11-04 17:35 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB974455-IE8\xpshims.dll
+ 2009-11-04 17:35 . 2009-03-08 09:31 55296 c:\windows\ie8updates\KB974455-IE8\msfeedsbs.dll
+ 2009-11-04 17:35 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB974455-IE8\jsproxy.dll
+ 2009-11-04 17:34 . 2009-03-08 19:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 44544 c:\windows\ie8\pngfilt.dll
+ 2009-11-04 17:33 . 2007-08-13 23:01 48128 c:\windows\ie8\mshtmler.dll
+ 2009-11-04 17:33 . 2007-08-13 23:32 45568 c:\windows\ie8\mshta.exe
+ 2009-11-04 17:33 . 2007-08-13 23:36 12288 c:\windows\ie8\msfeedssync.exe
+ 2009-11-04 17:33 . 2009-08-29 07:36 52224 c:\windows\ie8\msfeedsbs.dll
+ 2009-11-04 17:33 . 2007-08-13 23:44 40960 c:\windows\ie8\licmgr10.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 27648 c:\windows\ie8\jsproxy.dll
+ 2009-11-04 17:33 . 2007-08-13 23:39 92672 c:\windows\ie8\inseng.dll
+ 2009-11-04 17:33 . 2007-08-13 23:36 36352 c:\windows\ie8\imgutil.dll
+ 2009-11-04 17:33 . 2007-08-13 23:39 55296 c:\windows\ie8\iesetup.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 44544 c:\windows\ie8\iernonce.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 78336 c:\windows\ie8\ieencode.dll
+ 2009-11-04 17:33 . 2009-08-28 10:28 70656 c:\windows\ie8\ie4uinit.exe
+ 2009-11-04 17:33 . 2009-08-29 07:36 63488 c:\windows\ie8\icardie.dll
+ 2009-11-04 17:33 . 2007-08-13 23:18 60416 c:\windows\ie8\hmmapi.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 17408 c:\windows\ie8\corpol.dll
+ 2009-11-04 17:33 . 2007-08-13 23:39 71680 c:\windows\ie8\admparse.dll
+ 2009-11-04 17:35 . 2009-03-08 09:35 2048 c:\windows\ie8updates\KB975364-IE8\iecompat.dll
- 2009-01-23 16:35 . 2008-04-14 00:12 121856 c:\windows\system32\xmllite.dll
+ 2009-01-23 16:35 . 2009-01-07 23:21 121856 c:\windows\system32\xmllite.dll
+ 2007-08-13 23:45 . 2009-03-08 09:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2004-08-04 10:00 . 2009-03-08 09:34 236544 c:\windows\system32\webcheck.dll
+ 2004-08-04 10:00 . 2009-03-08 09:33 420352 c:\windows\system32\vbscript.dll
- 2004-08-04 10:00 . 2009-08-29 07:36 105984 c:\windows\system32\url.dll
+ 2004-08-04 10:00 . 2009-03-08 09:34 105984 c:\windows\system32\url.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
+ 2006-03-04 03:33 . 2009-03-08 09:32 611840 c:\windows\system32\mstime.dll
+ 2006-03-04 03:33 . 2009-03-08 09:34 193536 c:\windows\system32\msrating.dll
+ 2004-08-04 10:00 . 2009-03-08 09:22 156160 c:\windows\system32\msls31.dll
- 2004-08-04 10:00 . 2007-08-13 23:54 156160 c:\windows\system32\msls31.dll
+ 2007-08-13 23:54 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 265720 c:\windows\system32\msdbg2.dll
+ 2004-08-04 10:00 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2007-08-13 23:54 . 2009-03-08 09:22 164352 c:\windows\system32\ieui.dll
+ 2006-03-04 03:33 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 17:27 . 2009-03-08 09:11 445952 c:\windows\system32\ieapfltr.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 163840 c:\windows\system32\ieakui.dll
+ 2004-08-04 10:00 . 2009-03-08 09:33 229376 c:\windows\system32\ieaksie.dll
+ 2004-08-04 10:00 . 2009-03-08 09:33 125952 c:\windows\system32\ieakeng.dll
+ 2004-08-04 10:00 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
+ 2006-03-04 03:33 . 2009-03-08 09:31 216064 c:\windows\system32\dxtrans.dll
+ 2004-08-04 10:00 . 2009-03-08 09:31 348160 c:\windows\system32\dxtmsft.dll
+ 2006-03-04 03:33 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 10:00 . 2009-03-08 09:34 236544 c:\windows\system32\dllcache\webcheck.dll

 

[Southerndaisy]

+ 2009-01-21 23:50 . 2009-03-08 09:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2008-05-09 10:53 . 2009-03-08 09:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2004-08-04 10:00 . 2009-03-08 09:34 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 10:00 . 2009-08-29 07:36 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-03-04 03:33 . 2009-03-08 09:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-03-04 03:33 . 2009-03-08 09:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 10:00 . 2009-03-08 09:22 156160 c:\windows\system32\dllcache\msls31.dll
- 2004-08-04 10:00 . 2007-08-13 23:54 156160 c:\windows\system32\dllcache\msls31.dll
+ 2009-01-23 16:36 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-05-09 10:53 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-01-21 23:49 . 2009-03-08 19:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2006-03-04 03:33 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 10:00 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-01-23 16:36 . 2009-03-08 09:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 10:00 . 2009-03-08 09:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 10:00 . 2009-03-08 09:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 10:00 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-03-04 03:33 . 2009-03-08 09:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 10:00 . 2009-03-08 09:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 10:00 . 2009-03-08 09:32 128512 c:\windows\system32\advpack.dll
+ 2009-11-04 17:35 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB975364-IE8\spuninst\updspapi.dll
+ 2009-11-04 17:35 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB975364-IE8\spuninst\spuninst.exe
+ 2009-11-04 17:35 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB974455-IE8\wininet.dll
+ 2009-11-04 17:35 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB974455-IE8\spuninst\updspapi.dll
+ 2009-11-04 17:35 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB974455-IE8\spuninst\spuninst.exe
+ 2009-11-04 17:35 . 2009-03-08 09:34 109568 c:\windows\ie8updates\KB974455-IE8\occache.dll
+ 2009-11-04 17:35 . 2009-03-08 09:32 594432 c:\windows\ie8updates\KB974455-IE8\msfeeds.dll
+ 2009-11-04 17:35 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB974455-IE8\ieproxy.dll
+ 2009-11-04 17:35 . 2009-03-08 09:31 183808 c:\windows\ie8updates\KB974455-IE8\iepeers.dll
+ 2009-11-04 17:35 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB974455-IE8\iedkcs32.dll
+ 2009-11-04 17:35 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB974455-IE8\ie4uinit.exe
+ 2009-11-04 17:33 . 2009-08-29 07:36 832512 c:\windows\ie8\wininet.dll
+ 2009-11-04 17:33 . 2007-08-13 23:45 206336 c:\windows\ie8\winfxdocobj.exe
+ 2009-11-04 17:33 . 2009-08-29 07:36 233472 c:\windows\ie8\webcheck.dll
+ 2009-11-04 17:33 . 2008-05-27 17:23 765952 c:\windows\ie8\vgx.dll
+ 2009-11-04 17:33 . 2008-05-09 10:53 430080 c:\windows\ie8\vbscript.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 105984 c:\windows\ie8\url.dll
+ 2009-11-04 17:34 . 2009-01-07 23:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2009-11-04 17:34 . 2009-01-07 23:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2009-11-04 17:33 . 2006-09-06 22:43 213216 c:\windows\ie8\spuninst.exe
+ 2009-11-04 17:33 . 2009-08-29 07:36 102912 c:\windows\ie8\occache.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 671232 c:\windows\ie8\mstime.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 193024 c:\windows\ie8\msrating.dll
+ 2009-11-04 17:33 . 2007-08-13 23:54 156160 c:\windows\ie8\msls31.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 477696 c:\windows\ie8\mshtmled.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 459264 c:\windows\ie8\msfeeds.dll
+ 2009-11-04 17:33 . 2009-08-13 15:16 512000 c:\windows\ie8\jscript.dll
+ 2009-11-04 17:33 . 2009-08-27 05:18 634648 c:\windows\ie8\iexplore.exe
+ 2009-11-04 17:33 . 2007-08-13 23:54 180736 c:\windows\ie8\ieui.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 268288 c:\windows\ie8\iertutil.dll
+ 2009-11-04 17:33 . 2007-08-13 23:54 287744 c:\windows\ie8\ieproxy.dll
+ 2009-11-04 17:33 . 2007-08-13 23:54 191488 c:\windows\ie8\iepeers.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 385024 c:\windows\ie8\iedkcs32.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 380928 c:\windows\ie8\ieapfltr.dll
+ 2009-11-04 17:33 . 2009-08-27 05:18 161792 c:\windows\ie8\ieakui.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 230400 c:\windows\ie8\ieaksie.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 153088 c:\windows\ie8\ieakeng.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 214528 c:\windows\ie8\dxtrans.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 347136 c:\windows\ie8\dxtmsft.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 124928 c:\windows\ie8\advpack.dll
+ 2009-11-04 17:35 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB976749-IE7\spuninst\updspapi.dll
+ 2009-11-04 17:35 . 2009-05-26 11:40 231288 c:\windows\ie7updates\KB976749-IE7\spuninst\spuninst.exe
+ 2006-03-18 11:09 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
+ 2006-03-23 17:32 . 2009-08-29 08:08 5940224 c:\windows\system32\mshtml.dll
+ 2007-08-13 23:34 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
+ 2007-02-12 21:10 . 2009-02-07 02:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2006-03-18 11:09 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
+ 2006-03-23 17:32 . 2009-08-29 08:08 5940224 c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-23 16:36 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-01-23 16:36 . 2009-02-07 02:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-01-07 23:20 . 2009-01-07 23:20 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2009-11-04 17:35 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB974455-IE8\urlmon.dll
+ 2009-11-04 17:35 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB974455-IE8\mshtml.dll
+ 2009-11-04 17:35 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB974455-IE8\iertutil.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 1168384 c:\windows\ie8\urlmon.dll

 

[Southerndaisy]

+ 2009-11-04 17:33 . 2009-08-29 07:36 3598336 c:\windows\ie8\mshtml.dll
+ 2009-11-04 17:33 . 2009-08-29 07:36 6067200 c:\windows\ie8\ieframe.dll
+ 2009-11-04 17:33 . 2009-06-29 08:33 2452872 c:\windows\ie8\ieapfltr.dat
+ 2007-08-13 23:54 . 2009-08-29 08:08 11069440 c:\windows\system32\ieframe.dll
+ 2009-01-23 16:36 . 2009-08-29 08:08 11069440 c:\windows\system32\dllcache\ieframe.dll
+ 2009-11-04 17:35 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB974455-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-02 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-05-15 95536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-10-20 25214]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Best\\90cs\\MAS90\\HOME\\PVXWIN32.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1224:UDP"= 1224:UDP:Windows Media Format SDK (iexplore.exe)
"1225:UDP"= 1225:UDP:Windows Media Format SDK (iexplore.exe)
"1226:UDP"= 1226:UDP:Windows Media Format SDK (iexplore.exe)
"1358:UDP"= 1358:UDP:Windows Media Format SDK (iexplore.exe)
"1359:UDP"= 1359:UDP:Windows Media Format SDK (iexplore.exe)
"1360:UDP"= 1360:UDP:Windows Media Format SDK (iexplore.exe)
"2152:UDP"= 2152:UDP:Windows Media Format SDK (iexplore.exe)
"2155:UDP"= 2155:UDP:Windows Media Format SDK (iexplore.exe)
"2154:UDP"= 2154:UDP:Windows Media Format SDK (iexplore.exe)
"1204:UDP"= 1204:UDP:Windows Media Format SDK (iexplore.exe)
"1205:UDP"= 1205:UDP:Windows Media Format SDK (iexplore.exe)
"1206:UDP"= 1206:UDP:Windows Media Format SDK (iexplore.exe)
"1256:UDP"= 1256:UDP:Windows Media Format SDK (iexplore.exe)
"1257:UDP"= 1257:UDP:Windows Media Format SDK (iexplore.exe)
"1258:UDP"= 1258:UDP:Windows Media Format SDK (iexplore.exe)
"1621:UDP"= 1621:UDP:Windows Media Format SDK (iexplore.exe)
"1624:UDP"= 1624:UDP:Windows Media Format SDK (iexplore.exe)
"1625:UDP"= 1625:UDP:Windows Media Format SDK (iexplore.exe)
"1361:UDP"= 1361:UDP:Windows Media Format SDK (iexplore.exe)
"1362:UDP"= 1362:UDP:Windows Media Format SDK (iexplore.exe)
"1340:UDP"= 1340:UDP:Windows Media Format SDK (iexplore.exe)
"1341:UDP"= 1341:UDP:Windows Media Format SDK (iexplore.exe)
"1342:UDP"= 1342:UDP:Windows Media Format SDK (iexplore.exe)

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [9/15/2009 9:20 AM 188736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\Norton Security Scan for Johnlin.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-22 23:58]

2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{17BD2D1D-81CB-43B0-8EA7-AEF1A5EF0512}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=GRxdm016YYUS
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 12:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-04 12:56
ComboFix-quarantined-files.txt 2009-11-04 17:56

Pre-Run: 38,088,503,296 bytes free
Post-Run: 38,061,613,056 bytes free

 

[Southerndaisy]

Dds.txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by johnlin at 12:42:55.12 on Wed 11/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.697 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\johnlin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/gamelanding/inklink.jsp"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [CTSVolFE] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enumn /alertsn /systrayIconn
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=GRxdm016YYUS
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-9-15 188736]

=============== Created Last 30 ================

2009-11-04 17:37:17 0 d-sh--w- c:\documents and settings\johnlin\IECompatCache
2009-11-04 17:36:38 0 d-sh--w- c:\documents and settings\johnlin\PrivacIE
2009-11-04 17:36:08 0 d-sh--w- c:\documents and settings\johnlin\IETldCache
2009-11-04 17:35:13 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-04 17:35:02 0 d-----w- c:\windows\ie8updates
2009-11-04 17:34:39 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-04 17:34:39 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-04 17:33:05 0 dc-h--w- c:\windows\ie8
2009-11-04 16:56:18 0 d-sha-r- C:\cmdcons
2009-11-04 16:53:29 98816 ----a-w- c:\windows\sed.exe
2009-11-04 16:53:29 77312 ----a-w- c:\windows\MBR.exe
2009-11-04 16:53:29 236544 ----a-w- c:\windows\PEV.exe
2009-11-04 16:53:29 161792 ----a-w- c:\windows\SWREG.exe
2009-11-04 16:53:07 0 d-----w- C:\ComboFix
2009-11-03 14:45:05 21504 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-20 14:43:55 0 d-----w- c:\program files\common files\Adobe Systems Shared
2009-10-09 17:02:28 0 d-----w- c:\program files\VS Revo Group

==================== Find3M ====================

2009-09-15 14:17:16 61760 ----a-w- c:\windows\system32\ASTSRV.EXE
2009-09-15 14:16:02 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2009-09-15 14:15:16 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-01-30 16:03:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011920090126\index.dat
2009-01-30 16:03:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009013020090131\index.dat

============= FINISH: 12:43:02.12 ===============

 

[Southerndaisy]

VirSCAN.org report

VirSCAN.org Scanned Report :
Scanned time : 2009/11/04 12:51:57 (EST)
Scanner results: 24% Scanner(s) (9/37) found malware!
File Name : tdlwsp.dll
File Size : 21504 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : ba3a1b6df27eef43429e097dfa1b5265
SHA1 : 14525927c99925a28f6b41a1d33189d590f6760d
Online report : http://virscan.org/report/8f9bddd4b95276d98bc4adb0a134fad9.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091105020144 2009-11-05 0.09 -
AhnLab V3 2009.11.05.00 2009.11.05 2009-11-05 0.08 -
AntiVir 8.2.1.53 7.1.6.189 2009-11-04 0.42 TR/Dropper.Gen
Antiy 2.0.18 20091104.3209957 2009-11-04 0.12 -
Arcavir 2009 200911041238 2009-11-04 0.05 -
Authentium 5.1.1 200911041337 2009-11-04 1.20 -
AVAST! 4.7.4 091104-0 2009-11-04 0.00 Win32:Alureon-DR [Rtk]
AVG 8.5.288 270.14.49/2480 2009-11-04 0.30 Agent_r.OT
BitDefender 7.81008.4481187 7.28740 2009-11-05 3.90 Gen:Trojan.Heur.TDSS.bu4@kex4ytgi
CA (VET) 35.1.0 7101 2009-11-03 0.08 -
ClamAV 0.95.2 9986 2009-11-04 0.01 -
Comodo 3.12 2838 2009-11-04 0.08 -
CP Secure 1.3.0.5 2009.11.04 2009-11-04 0.04 -
Dr.Web 4.44.0.9170 2009.11.04 2009-11-04 6.38 BackDoor.Tdss.based.1
F-Prot 4.4.4.56 20091104 2009-11-04 1.18 -
F-Secure 7.02.73807 2009.11.04.12 2009-11-04 2.82 Packed.Win32.TDSS.z [AVP]
Fortinet 2.81-3.120 11.21 2009-11-04 0.08 -
GData 19.8722/19.535 20091104 2009-11-04 0.08 -
ViRobot 20091104 2009.11.04 2009-11-04 0.08 -
Ikarus T3.1.01.74 2009.11.04.74453 2009-11-04 3.96 Packed.Win32.Tdss
JiangMin 11.0.800 2009.11.03 2009-11-03 0.09 -
Kaspersky 5.5.10 2009.11.04 2009-11-04 0.07 Packed.Win32.TDSS.z
KingSoft 2009.2.5.15 2009.11.4.20 2009-11-04 0.08 -
McAfee 5.3.00 5792 2009-11-04 3.43 -
Microsoft 1.5202 2009.11.04 2009-11-04 0.08 -
Norman 6.01.09 6.01.00 2009-11-04 2.00 -
Panda 9.05.01 2009.11.03 2009-11-03 0.08 -
Trend Micro 8.700-1004 6.604.01 2009-11-04 0.03 -
Quick Heal 10.00 2009.11.04 2009-11-04 0.08 -
Rising 20.0 21.54.24.00 2009-11-04 0.08 -
Sophos 3.00.1 4.46 2009-11-05 3.04 Mal/Generic-A
Sunbelt 5486 5486 2009-11-03 0.08 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091104.02 6101314 2009-11-04 0.08 -
The Hacker 6.5.0.2 v00060 2009-11-03 0.08 -
VBA32 3.12.10.11 20091103.1333 2009-11-03 2.25 -
VirusBuster 4.5.11.10 10.113.7/2002497 2009-11-04 2.40 -

 

[kritius]

Have you got the results of the file scan? Do you also have the attach.txt?

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

 

[Southerndaisy]

I do have the scan results but the site here keeps saying it will not be viewable until someones looked at it. Here it is in a notebook

 

[Southerndaisy]

MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 3100
Windows 5.1.2600 Service Pack 3

11/4/2009 1:58:13 PM
mbam-log-2009-11-04 (13-58-13).txt

Scan type: Quick Scan
Objects scanned: 131104
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[kritius]

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

 

[Southerndaisy]

Gmer log

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 09:51:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\johnlin\LOCALS~1\Temp\kwaiiaod.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

 

[kritius]

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • [*]Spyware, adware, dialers, and other riskware
    [*]Archives
    [*]E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

 

[Southerndaisy]

Kas Report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, November 5, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, November 05, 2009 06:21:37
Records in database: 3134773
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
Y:\
Z:\

Scan statistics:
Objects scanned: 59384
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:05:51


File name / Threat / Threats count
C:\Documents and Settings\johnlin\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Backdoor.Win32.Bredolab.dy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.u 1
C:\WINDOWS\system32\tdlwsp.dll Infected: Packed.Win32.TDSS.z 1

Selected area has been scanned.

 

[kritius]

C:\Documents and Settings\johnlin\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst

This is infected, you should delete it however you may lose some backed up e mails.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
C:\WINDOWS\system32\tdlwsp.dll

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

[Southerndaisy]

Sorry for the wait

My email at work has been down so I could email you back. I did as you asked only when I tryed to save the CFScript.txt into the COmbo fix are a screen popped up then disappeared and now I can't find the ComboFix anywhere. I tried to download it again but it says the explorer can't do it and a running time error has occurred. Please help.

 

[kritius]

Re download it and run it again.

 

[Southerndaisy]

ComboFix 09-11-18.01 - johnlin 11/17/2009 13:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.512 [GMT -5:00]
Running from: c:\documents and settings\johnlin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\johnlin\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\tdlwsp.dll

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-12 14:40 . 2009-11-12 14:40 -------- d-----w- c:\documents and settings\johnlin\Local Settings\Application Data\Yahoo
2009-11-12 14:39 . 2009-11-12 14:39 262144 ----a-w- C:\ntuser.dat
2009-11-12 14:38 . 2009-11-12 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-12 14:38 . 2009-11-12 14:39 -------- d-----w- c:\documents and settings\johnlin\Application Data\Yahoo!
2009-11-12 14:36 . 2009-11-12 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-12 14:36 . 2009-05-27 00:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-11-12 14:36 . 2009-11-12 14:39 -------- d-----w- c:\program files\Yahoo!
2009-11-11 18:39 . 2009-11-11 18:39 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-11-05 16:17 . 2009-11-05 16:17 -------- d-----w- c:\windows\Sun
2009-11-05 16:16 . 2009-11-05 16:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-05 16:16 . 2009-11-05 16:16 -------- d-----w- c:\program files\Java
2009-11-05 16:16 . 2009-11-05 16:16 152576 ----a-w- c:\documents and settings\johnlin\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-04 18:52 . 2009-11-04 18:52 -------- d-----w- c:\documents and settings\johnlin\Application Data\Malwarebytes
2009-11-04 18:52 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 18:52 . 2009-11-04 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 18:52 . 2009-11-04 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 18:52 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 17:37 . 2009-11-04 17:37 -------- d-sh--w- c:\documents and settings\johnlin\IECompatCache
2009-11-04 17:36 . 2009-11-04 17:36 -------- d-sh--w- c:\documents and settings\johnlin\PrivacIE
2009-11-04 17:36 . 2009-11-04 17:36 -------- d-sh--w- c:\documents and settings\johnlin\IETldCache
2009-11-04 17:35 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-04 17:35 . 2009-11-04 17:35 -------- d-----w- c:\windows\ie8updates
2009-11-04 17:34 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-04 17:34 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-04 17:33 . 2009-11-04 17:34 -------- dc-h--w- c:\windows\ie8
2009-11-04 17:08 . 2009-11-04 17:08 -------- d-----w- c:\documents and settings\johnlin\Local Settings\Application Data\Identities
2009-10-30 15:51 . 2009-10-30 15:52 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-29 16:54 . 2009-10-29 17:10 1407680 ----a-w- c:\documents and settings\johnlin\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-20 14:45 . 2009-10-20 14:45 -------- d-----w- c:\documents and settings\johnlin\Application Data\AdobeUM
2009-10-20 14:44 . 2009-10-20 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-10-20 14:43 . 2009-10-20 14:43 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 18:54 . 2009-09-18 17:45 -------- d-----w- c:\documents and settings\johnlin\Application Data\Nitro PDF
2009-11-11 18:41 . 2009-01-22 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-02 14:06 . 2009-02-03 22:22 56784 ----a-w- c:\documents and settings\johnlin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-30 17:53 . 2009-01-22 00:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-29 17:10 . 2009-09-10 16:41 126970 ----a-w- c:\documents and settings\johnlin\Application Data\Move Networks\uninstall.exe
2009-10-29 17:10 . 2009-05-11 17:52 -------- d-----w- c:\documents and settings\johnlin\Application Data\Move Networks
2009-10-29 17:10 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\johnlin\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-21 15:22 . 2009-01-22 16:11 -------- d-----w- c:\documents and settings\lewis.OCEANWAVES\Application Data\uTorrent
2009-10-21 15:22 . 2009-01-22 16:01 -------- d-----w- c:\documents and settings\kellyc.OCEANWAVES\Application Data\uTorrent
2009-10-20 14:43 . 2009-02-16 16:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-14 22:01 . 2009-06-16 18:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-09 17:02 . 2009-10-09 17:02 -------- d-----w- c:\program files\VS Revo Group
2009-09-21 18:09 . 2009-09-21 18:09 -------- d-----w- c:\program files\MSBuild
2009-09-21 18:09 . 2009-09-21 18:09 -------- d-----w- c:\program files\Reference Assemblies
2009-09-15 14:17 . 2009-09-15 14:17 61760 ----a-w- c:\windows\system32\ASTSRV.EXE
2009-09-15 14:16 . 2009-09-18 17:44 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2009-09-15 14:15 . 2009-09-18 17:44 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:41 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\johnlin\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-10 16:40 . 2009-09-10 16:40 1686272 ----a-w- c:\documents and settings\johnlin\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-11-04_17.55.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 05:46 . 2006-12-02 05:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2009-11-16 14:10 . 2009-11-16 14:10 16384 c:\windows\temp\Perflib_Perfdata_81c.dat
+ 2009-11-17 18:53 . 2009-11-17 18:53 16384 c:\windows\temp\Perflib_Perfdata_688.dat
+ 2009-11-17 18:54 . 2009-11-17 18:54 16384 c:\windows\temp\Perflib_Perfdata_674.dat
+ 2009-01-22 00:39 . 2009-11-11 18:41 35088 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-01-22 00:39 . 2009-10-30 17:54 35088 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-22 00:39 . 2009-11-11 18:41 18704 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-01-22 00:39 . 2009-10-30 17:54 18704 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-22 00:39 . 2009-11-11 18:41 20240 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-22 00:39 . 2009-10-30 17:54 20240 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\cagicon.exe
- 2004-08-04 10:00 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-04 10:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2009-11-05 16:16 . 2009-11-05 16:16 149280 c:\windows\system32\javaws.exe
+ 2009-11-05 16:16 . 2009-11-05 16:16 145184 c:\windows\system32\javaw.exe
+ 2009-11-05 16:16 . 2009-11-05 16:16 145184 c:\windows\system32\java.exe
- 2009-01-21 15:41 . 2009-11-02 14:04 243920 c:\windows\system32\FNTCACHE.DAT
+ 2009-01-21 15:41 . 2009-11-11 18:50 243920 c:\windows\system32\FNTCACHE.DAT
- 2008-05-09 10:53 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-11-12 18:24 . 2009-11-13 18:55 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-11-12 14:36 . 2009-11-12 14:36 331264 c:\windows\Installer\9ce58.msi

 

[Southerndaisy]

+ 2009-11-05 16:16 . 2009-11-05 16:16 537600 c:\windows\Installer\726c21.msi
+ 2009-01-22 00:39 . 2009-11-11 18:41 888080 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-01-22 00:39 . 2009-10-30 17:54 888080 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-22 00:39 . 2009-11-11 18:41 845584 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-22 00:39 . 2009-10-30 17:54 845584 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-22 00:39 . 2009-11-11 18:41 217864 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\misc.exe
- 2009-01-22 00:39 . 2009-10-30 17:54 217864 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\misc.exe
+ 2009-11-05 19:03 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-05 19:03 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2009-11-05 19:03 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-11-05 19:03 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-11-05 19:03 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2004-08-04 10:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2006-03-23 17:32 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2009-01-22 08:07 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2006-03-23 17:32 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-10-16 12:03 . 2009-10-16 12:03 5003776 c:\windows\Installer\fb3fc2.msp
+ 2009-08-18 17:58 . 2009-08-18 17:58 8301056 c:\windows\Installer\fb3fb2.msp
+ 2009-08-18 17:57 . 2009-08-18 17:57 9122304 c:\windows\Installer\fb3fa2.msp
- 2009-01-22 00:39 . 2009-10-30 17:54 1172240 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-22 00:39 . 2009-11-11 18:41 1172240 c:\windows\Installer\{91120000-0013-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-11-05 19:03 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2009-01-23 16:15 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-02 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-05-15 95536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-10-20 25214]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Best\\90cs\\MAS90\\HOME\\PVXWIN32.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1224:UDP"= 1224:UDP:Windows Media Format SDK (iexplore.exe)
"1225:UDP"= 1225:UDP:Windows Media Format SDK (iexplore.exe)
"1226:UDP"= 1226:UDP:Windows Media Format SDK (iexplore.exe)
"1358:UDP"= 1358:UDP:Windows Media Format SDK (iexplore.exe)
"1359:UDP"= 1359:UDP:Windows Media Format SDK (iexplore.exe)
"1360:UDP"= 1360:UDP:Windows Media Format SDK (iexplore.exe)
"2152:UDP"= 2152:UDP:Windows Media Format SDK (iexplore.exe)
"2155:UDP"= 2155:UDP:Windows Media Format SDK (iexplore.exe)
"2154:UDP"= 2154:UDP:Windows Media Format SDK (iexplore.exe)
"1204:UDP"= 1204:UDP:Windows Media Format SDK (iexplore.exe)
"1205:UDP"= 1205:UDP:Windows Media Format SDK (iexplore.exe)
"1206:UDP"= 1206:UDP:Windows Media Format SDK (iexplore.exe)
"1256:UDP"= 1256:UDP:Windows Media Format SDK (iexplore.exe)
"1257:UDP"= 1257:UDP:Windows Media Format SDK (iexplore.exe)
"1258:UDP"= 1258:UDP:Windows Media Format SDK (iexplore.exe)
"1621:UDP"= 1621:UDP:Windows Media Format SDK (iexplore.exe)
"1624:UDP"= 1624:UDP:Windows Media Format SDK (iexplore.exe)
"1625:UDP"= 1625:UDP:Windows Media Format SDK (iexplore.exe)
"1361:UDP"= 1361:UDP:Windows Media Format SDK (iexplore.exe)
"1362:UDP"= 1362:UDP:Windows Media Format SDK (iexplore.exe)
"1340:UDP"= 1340:UDP:Windows Media Format SDK (iexplore.exe)
"1341:UDP"= 1341:UDP:Windows Media Format SDK (iexplore.exe)
"1342:UDP"= 1342:UDP:Windows Media Format SDK (iexplore.exe)

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [9/15/2009 9:20 AM 188736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\Norton Security Scan for Johnlin.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-22 23:58]

2009-11-17 c:\windows\Tasks\User_Feed_Synchronization-{17BD2D1D-81CB-43B0-8EA7-AEF1A5EF0512}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Search
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 13:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll

 

[Southerndaisy]

c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ASTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-11-17 13:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-17 18:58
ComboFix2.txt 2009-11-04 17:56

Pre-Run: 37,224,566,784 bytes free
Post-Run: 38,000,295,936 bytes free

- - End Of File - - A6CF9BAC7902629C5B26DC841711AD2E

 

[Southerndaisy]

Leaving work now, I'll check back tomorrow. Thanks for all the help so far.