Solved Getting Redirected from Google Search Links

[chiby]

I've been getting redirected from google search links. I've run Mal-ware Bytes and Microsoft Security essentials a few times already. Plz help me fix this. Attached is the hjackthis logfile

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[chiby]

I'd greatly appreciate it if anyone could help me out here. Thank you!
I scanned 2x with malwarebytes so here are two logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4251

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/28/2010 8:32:25 PM
mbam-log-2010-06-28 (20-32-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 63078
Time elapsed: 2 hour(s), 12 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\$RECYCLE.BIN\S-1-5-21-3500304205-112821965-2698384200-1000\$RCRFXV0.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Users\Lillian\AppData\Local\Temp\Nrf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Lillian\AppData\Roaming\c56c654e.exe (Trojan.Agent) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4251

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/28/2010 11:38:08 PM
mbam-log-2010-06-28 (23-38-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 253878
Time elapsed: 2 hour(s), 24 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-29 17:51:07
Windows 6.0.6002 Service Pack 2
Running: zr6tboft.exe; Driver: C:\Users\Lillian\AppData\Local\Temp\pwddafoc.sys


---- System - GMER 1.0.15 ----

SSDT 8696DB40 ZwAlertResumeThread
SSDT 8696DC20 ZwAlertThread
SSDT 8697D2F8 ZwAllocateVirtualMemory
SSDT 86906078 ZwAlpcConnectPort
SSDT 8697C0C8 ZwCreateMutant
SSDT 8697D3E8 ZwCreateThread
SSDT 8697D9D0 ZwDebugActiveProcess
SSDT 8696B510 ZwFreeVirtualMemory
SSDT 8697C1B8 ZwImpersonateAnonymousToken
SSDT 8697C298 ZwImpersonateThread
SSDT 8696B410 ZwMapViewOfSection
SSDT 8697DB90 ZwOpenEvent
SSDT 868CB830 ZwOpenProcessToken
SSDT 8697E008 ZwOpenThreadToken
SSDT 8697F840 ZwResumeThread
SSDT 8697E220 ZwSetContextThread
SSDT 868C9718 ZwSetInformationProcess
SSDT 8697E150 ZwSetInformationThread
SSDT 8697DAB0 ZwSuspendProcess
SSDT 8696DD68 ZwSuspendThread
SSDT 8696D290 ZwTerminateProcess
SSDT 8697E070 ZwTerminateThread
SSDT 868C9808 ZwUnmapViewOfSection
SSDT 8696B600 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81EF1880 8 Bytes [40, DB, 96, 86, 20, DC, 96, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 81EF1894 4 Bytes [F8, D2, 97, 86]
.text ntkrnlpa.exe!KeSetEvent + 13D 81EF18A0 4 Bytes [78, 60, 90, 86]
.text ntkrnlpa.exe!KeSetEvent + 1F5 81EF1958 4 Bytes [C8, C0, 97, 86] {ENTER 0x97c0, 0x86}
.text ntkrnlpa.exe!KeSetEvent + 221 81EF1984 4 Bytes CALL FD75B15C
.text ...
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x87B4E480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x87B8F900, 0x3CA, 0x48000040]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] ntdll.dll!NtQueryInformationProcess 76F84E54 5 Bytes JMP 00FB0DED
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!closesocket 756C330C 5 Bytes JMP 00F9C549
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!recv 756C343A 5 Bytes JMP 00F9C300
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!GetAddrInfoW 756C3D12 5 Bytes JMP 00F9B90E
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!getaddrinfo 756C418A 5 Bytes JMP 00F9B833
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!WSASend 756C4496 5 Bytes JMP 00F9C3A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!send 756C659B 5 Bytes JMP 00F9C25D
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!WSARecv 756C8400 5 Bytes JMP 00F9C465
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!WSAAsyncGetHostByName 756D5FB9 5 Bytes JMP 00F9BBA6
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] WS2_32.dll!gethostbyname 756D62D4 5 Bytes JMP 00F9B779
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextExW 76C791CE 5 Bytes JMP 00F9CB0A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextW 76C797D3 5 Bytes JMP 00F9C94C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextA 76C8558D 5 Bytes JMP 00F9C873
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DrawTextExA 76C855C4 5 Bytes JMP 00F9CA25
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!DialogBoxParamW 76C910B0 5 Bytes JMP 00F9BC7E
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] USER32.dll!SetClipboardData 76CA6410 5 Bytes JMP 00F9C5D4
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!ExtTextOutW 7567872B 5 Bytes JMP 00F9CCD1
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!GetGlyphIndicesW 7567B765 5 Bytes JMP 00F9D143
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!ExtTextOutA 756800A5 5 Bytes JMP 00F9CBEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!TextOutA 75680BAB 5 Bytes JMP 00F9C6DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!TextOutW 75680D6D 5 Bytes JMP 00F9C7A9
.text C:\Program Files\Mozilla Firefox\firefox.exe[5696] GDI32.dll!GetGlyphIndicesA 75699DC0 5 Bytes JMP 00F9D07C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

 

[Broni]

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[chiby]

Thank you once again. Here's the log from ComboFix.


ComboFix 10-06-30.02 - Lillian 06/30/2010 21:29:30.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1224 [GMT -4:00]
Running from: c:\users\Lillian\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 01:40 . 2010-07-01 01:41 -------- d-----w- c:\users\Lillian\AppData\Local\temp
2010-07-01 01:40 . 2010-07-01 01:40 -------- d-----w- c:\users\s\AppData\Local\temp
2010-07-01 01:40 . 2010-07-01 01:40 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-07-01 01:40 . 2010-07-01 01:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-29 16:02 . 2010-06-29 16:02 -------- d-----w- c:\program files\Trend Micro
2010-06-28 04:00 . 2010-06-28 04:00 -------- d-----w- C:\7d5341a17ef6849de81c9abb1dd5
2010-06-27 07:00 . 2010-06-27 07:00 -------- d-----w- C:\55b67a2855b21e3ee9b56f709adc
2010-06-27 03:12 . 2010-06-27 03:12 52224 --sha-r- c:\users\Lillian\AppData\Roaming\msxml3J.dll
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-26 22:57 . 2010-06-26 22:57 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-26 22:57 . 2010-06-26 22:57 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-26 22:57 . 2010-06-26 22:57 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-26 22:57 . 2010-06-26 22:57 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-26 22:57 . 2010-06-26 22:57 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-26 22:54 . 2010-06-26 22:54 -------- d-----w- c:\program files\Common Files\xing shared
2010-06-26 22:51 . 2010-06-26 22:51 348160 ----a-w- c:\windows\system32\pnup0.dll
2010-06-23 21:39 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 21:39 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 21:39 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 21:39 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 21:39 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 16:10 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 16:10 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-18 01:37 . 2010-06-18 01:37 -------- d-----w- c:\programdata\AIM
2010-06-18 01:36 . 2010-06-18 01:37 -------- d-----w- c:\program files\AIM
2010-06-18 01:36 . 2010-06-18 01:36 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-14 05:28 . 2010-06-14 05:28 -------- d-----w- c:\programdata\Adobe Systems
2010-06-14 05:12 . 2010-06-14 05:12 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-06-10 21:38 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-10 21:34 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 21:34 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-10 21:34 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-10 15:57 . 2010-06-10 15:57 -------- d-----w- c:\users\Lillian\New Folder
2010-06-04 04:23 . 2010-06-04 04:23 -------- d-----w- c:\windows\system32\Adobe
2010-06-03 23:41 . 2010-06-03 23:41 50354 ----a-w- c:\users\Lillian\AppData\Roaming\Facebook\uninstall.exe
2010-06-03 23:41 . 2010-06-03 23:41 -------- d-----w- c:\users\Lillian\AppData\Roaming\Facebook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 01:16 . 2009-09-12 12:20 -------- d-----w- c:\programdata\Viewpoint
2010-06-30 01:46 . 2010-02-10 22:24 -------- d-----w- c:\users\Lillian\AppData\Roaming\vlc
2010-06-28 22:53 . 2010-02-14 04:23 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-28 22:50 . 2009-08-28 16:15 -------- d-----w- c:\program files\Microsoft.NET
2010-06-28 01:21 . 2010-02-13 04:07 -------- d-----w- c:\program files\Spyware Doctor
2010-06-27 19:42 . 2010-04-19 00:01 -------- d-----w- c:\programdata\PC Tools
2010-06-26 22:56 . 2009-09-14 03:20 -------- d-----w- c:\program files\Common Files\Real
2010-06-26 22:55 . 2009-09-14 03:20 -------- d-----w- c:\program files\Real
2010-06-26 06:06 . 2010-02-14 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-26 05:50 . 2009-12-04 00:50 1 ----a-w- c:\users\Lillian\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-24 02:21 . 2010-03-07 02:34 439816 ----a-w- c:\users\Lillian\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-06-14 21:41 . 2009-09-11 21:13 121392 ----a-w- c:\users\Lillian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-14 05:13 . 2010-04-22 22:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-12 11:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 03:06 . 2009-08-28 16:14 -------- d-----w- c:\programdata\Microsoft Help
2010-06-06 15:27 . 2009-09-12 06:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 17:37 . 2009-10-03 12:27 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-31 17:38 . 2010-01-15 00:30 -------- d-----w- c:\users\Lillian\AppData\Roaming\Corel
2010-05-31 17:02 . 2010-05-31 17:02 -------- d-----w- c:\users\Lillian\AppData\Roaming\PC-FAX TX
2010-05-29 18:55 . 2010-05-29 18:55 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2010-05-29 18:54 . 2010-05-29 18:54 -------- d-----w- c:\users\Guest\AppData\Roaming\Symantec
2010-05-29 18:54 . 2010-05-29 18:54 121392 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-29 02:17 . 2010-04-01 14:59 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-05-19 03:49 . 2010-02-14 04:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-09 02:43 . 2010-05-09 02:43 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-05-09 02:34 . 2010-05-09 02:34 -------- d-----w- c:\program files\Common Files\Windows Live
2010-05-05 05:36 . 2010-05-05 05:36 -------- d-----w- c:\users\Lillian\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-04 05:59 . 2010-06-10 21:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 21:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-10 21:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-10 21:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-04 01:41 . 2009-10-14 23:44 50 ----a-w- c:\windows\system32\bridf08b.dat
2010-05-04 01:40 . 2009-09-19 02:02 -------- d-----w- c:\program files\Brother
2010-05-04 01:38 . 2008-09-30 18:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-04 01:28 . 2010-05-04 01:26 -------- d-----w- c:\program files\Canon
2010-05-04 01:26 . 2010-05-04 01:26 -------- d-----w- c:\programdata\ZoomBrowser
2010-05-04 01:24 . 2010-05-04 01:24 -------- d-----w- c:\program files\Common Files\Canon
2010-04-29 19:39 . 2010-02-14 00:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-14 00:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 14:13 . 2010-05-26 00:21 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-19 06:49 . 2010-04-19 06:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-16 16:43 . 2010-06-23 16:10 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 16:10 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 16:10 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 16:10 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2008-06-30 17:44 . 2009-09-12 13:02 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-09-11 21:12 . 2009-09-11 21:12 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-09-11 21:12 . 2009-09-11 21:12 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]
"SLFHVNU"="c:\users\Lillian\AppData\Roaming\msxml3J.dll" [2010-06-27 52224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\TSS.exe" [2008-08-04 1242424]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-26 202256]

c:\users\Lillian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 03:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8c,13,25,d0,d5,34,ca,01

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-02-13 24856]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091105.001\IDSvix86.sys [2009-08-26 272432]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-06-10 347648]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Lillian\AppData\Roaming\Mozilla\Firefox\Profiles\sug9qjae.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Lillian\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-30 21:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4368)
c:\program files\Common Files\Symantec Shared\AppCore\AppMgr32.dll
c:\windows\System32\netshell.dll
.
Completion time: 2010-06-30 21:46:26
ComboFix-quarantined-files.txt 2010-07-01 01:46

Pre-Run: 95,250,165,760 bytes free
Post-Run: 95,215,603,712 bytes free

- - End Of File - - 93E7B68A7C8B9A262D5E9CAB75109731

 

[Broni]

You have Norton's leftovers.
Please, run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

=================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\users\Lillian\AppData\Roaming\msxml3J.dll


Folder::
c:\programdata\Viewpoint

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SLFHVNU"=-

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[chiby]

ComboFix 10-06-30.02 - Lillian 06/30/2010 23:18:58.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1085 [GMT -4:00]
Running from: c:\users\Lillian\Desktop\ComboFix.exe
Command switches used :: c:\users\Lillian\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Lillian\AppData\Roaming\msxml3J.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Viewpoint
c:\users\Lillian\AppData\Roaming\msxml3J.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Lillian\AppData\Local\temp
2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\s\AppData\Local\temp
2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-07-01 03:33 . 2010-07-01 03:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-01 02:57 . 2010-07-01 02:57 -------- d-----w- c:\program files\QS
2010-07-01 02:57 . 2010-07-01 02:57 -------- d-----w- c:\users\Lillian\AppData\Roaming\TeamViewer
2010-06-29 16:02 . 2010-06-29 16:02 -------- d-----w- c:\program files\Trend Micro
2010-06-28 04:00 . 2010-06-28 04:00 -------- d-----w- C:\7d5341a17ef6849de81c9abb1dd5
2010-06-27 07:00 . 2010-06-27 07:00 -------- d-----w- C:\55b67a2855b21e3ee9b56f709adc
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-26 22:57 . 2010-06-26 22:57 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-26 22:57 . 2010-06-26 22:57 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-26 22:57 . 2010-06-26 22:57 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-26 22:57 . 2010-06-26 22:57 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-26 22:57 . 2010-06-26 22:57 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-26 22:57 . 2010-06-26 22:57 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-26 22:54 . 2010-06-26 22:54 -------- d-----w- c:\program files\Common Files\xing shared
2010-06-26 22:51 . 2010-06-26 22:51 348160 ----a-w- c:\windows\system32\pnup0.dll
2010-06-23 21:39 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 21:39 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 21:39 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 21:39 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 21:39 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 16:10 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 16:10 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-18 01:37 . 2010-06-18 01:37 -------- d-----w- c:\programdata\AIM
2010-06-18 01:36 . 2010-06-18 01:37 -------- d-----w- c:\program files\AIM
2010-06-18 01:36 . 2010-06-18 01:36 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-14 05:28 . 2010-06-14 05:28 -------- d-----w- c:\programdata\Adobe Systems
2010-06-14 05:12 . 2010-06-14 05:12 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-06-10 21:38 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-10 21:34 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 21:34 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-10 21:34 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-10 15:57 . 2010-06-10 15:57 -------- d-----w- c:\users\Lillian\New Folder
2010-06-04 04:23 . 2010-06-04 04:23 -------- d-----w- c:\windows\system32\Adobe
2010-06-03 23:41 . 2010-06-03 23:41 50354 ----a-w- c:\users\Lillian\AppData\Roaming\Facebook\uninstall.exe
2010-06-03 23:41 . 2010-06-03 23:41 -------- d-----w- c:\users\Lillian\AppData\Roaming\Facebook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 02:05 . 2008-09-30 19:43 -------- d-----w- c:\programdata\Symantec
2010-07-01 02:05 . 2008-09-30 19:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-30 01:46 . 2010-02-10 22:24 -------- d-----w- c:\users\Lillian\AppData\Roaming\vlc
2010-06-28 22:53 . 2010-02-14 04:23 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-28 22:50 . 2009-08-28 16:15 -------- d-----w- c:\program files\Microsoft.NET
2010-06-28 01:21 . 2010-02-13 04:07 -------- d-----w- c:\program files\Spyware Doctor
2010-06-27 19:42 . 2010-04-19 00:01 -------- d-----w- c:\programdata\PC Tools
2010-06-26 22:56 . 2009-09-14 03:20 -------- d-----w- c:\program files\Common Files\Real
2010-06-26 22:55 . 2009-09-14 03:20 -------- d-----w- c:\program files\Real
2010-06-26 06:06 . 2010-02-14 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-26 05:50 . 2009-12-04 00:50 1 ----a-w- c:\users\Lillian\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-24 02:21 . 2010-03-07 02:34 439816 ----a-w- c:\users\Lillian\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-06-14 21:41 . 2009-09-11 21:13 121392 ----a-w- c:\users\Lillian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-14 05:13 . 2010-04-22 22:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-12 11:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 03:06 . 2009-08-28 16:14 -------- d-----w- c:\programdata\Microsoft Help
2010-06-06 15:27 . 2009-09-12 06:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 17:37 . 2009-10-03 12:27 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-31 17:38 . 2010-01-15 00:30 -------- d-----w- c:\users\Lillian\AppData\Roaming\Corel
2010-05-31 17:02 . 2010-05-31 17:02 -------- d-----w- c:\users\Lillian\AppData\Roaming\PC-FAX TX
2010-05-29 18:55 . 2010-05-29 18:55 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2010-05-29 18:54 . 2010-05-29 18:54 -------- d-----w- c:\users\Guest\AppData\Roaming\Symantec
2010-05-29 18:54 . 2010-05-29 18:54 121392 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-29 02:17 . 2010-04-01 14:59 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-05-19 03:49 . 2010-02-14 04:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-09 02:43 . 2010-05-09 02:43 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-05-09 02:34 . 2010-05-09 02:34 -------- d-----w- c:\program files\Common Files\Windows Live
2010-05-05 05:36 . 2010-05-05 05:36 -------- d-----w- c:\users\Lillian\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-04 05:59 . 2010-06-10 21:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 21:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-10 21:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-10 21:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-04 01:41 . 2009-10-14 23:44 50 ----a-w- c:\windows\system32\bridf08b.dat
2010-05-04 01:40 . 2009-09-19 02:02 -------- d-----w- c:\program files\Brother
2010-05-04 01:38 . 2008-09-30 18:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-04 01:28 . 2010-05-04 01:26 -------- d-----w- c:\program files\Canon
2010-05-04 01:26 . 2010-05-04 01:26 -------- d-----w- c:\programdata\ZoomBrowser
2010-05-04 01:24 . 2010-05-04 01:24 -------- d-----w- c:\program files\Common Files\Canon
2010-04-29 19:39 . 2010-02-14 00:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-14 00:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 14:13 . 2010-05-26 00:21 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-19 06:49 . 2010-04-19 06:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-16 16:43 . 2010-06-23 16:10 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 16:10 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 16:10 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 16:10 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2009-09-11 21:12 . 2009-09-11 21:12 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-09-11 21:12 . 2009-09-11 21:12 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\TSS.exe" [2008-08-04 1242424]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-26 202256]

c:\users\Lillian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 03:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8c,13,25,d0,d5,34,ca,01

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-02-13 24856]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-06-10 347648]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Lillian\AppData\Roaming\Mozilla\Firefox\Profiles\sug9qjae.default\
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Lillian\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-30 23:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-30 23:38:25
ComboFix-quarantined-files.txt 2010-07-01 03:38
ComboFix2.txt 2010-07-01 01:46

Pre-Run: 96,804,270,080 bytes free
Post-Run: 96,826,617,856 bytes free

- - End Of File - - CEC6A5C9825460FFBD2760DFF409EEED

 

[Broni]

How is redirection issue?

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[chiby]

Well I can't say for sure that the problem is fixed as it occurs at random times. Attached is the log:

 

[Broni]

Well I can't say for sure that the problem is fixed as it occurs at random times

Keep me updated on this.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Restart computer.

=====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[chiby]

Attached are the two logs:

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  DRV - [2010/02/13 19:47:03 | 000,024,856 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
  O4 - HKLM..\Run: [NDSTray.exe]  File not found
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  [2010/04/18 09:36:52 | 000,000,000 | ---D | C] -- C:\Users\Lillian\AppData\Local\pmyyqvrfi
  [2010/04/03 03:32:03 | 000,009,314 | -HS- | M] () -- C:\Users\Lillian\AppData\Local\Wv7V1mEL4UH
  [2010/04/03 03:32:03 | 000,009,314 | -HS- | M] () -- C:\ProgramData\Wv7V1mEL4UH
  @Alternate Data Stream - 154 bytes -> C:\ProgramData\TEMP:DFC5A2B2
  @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[chiby]

Still doesn't seem like i'm being redirected to anywhere. Here's the log after the fix, I'll get to the quick scan log in a second.

All processes killed
========== OTL ==========
Service Avgfwfd stopped successfully!
Service Avgfwfd deleted successfully!
C:\Windows\System32\drivers\avgfwd6x.sys moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NDSTray.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\Users\Lillian\AppData\Local\pmyyqvrfi folder moved successfully.
C:\Users\Lillian\AppData\Local\Wv7V1mEL4UH moved successfully.
C:\ProgramData\Wv7V1mEL4UH moved successfully.
ADS C:\ProgramData\TEMPFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: Lillian
->Temp folder emptied: 45904 bytes
->Temporary Internet Files folder emptied: 6950827 bytes
->Java cache emptied: 3879 bytes
->FireFox cache emptied: 87348127 bytes
->Flash cache emptied: 4918 bytes

User: Public
->Temp folder emptied: 0 bytes

User: s
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3154 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 90.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Guest

User: Lillian
->Flash cache emptied: 0 bytes

User: Public

User: s

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.7.0 log created on 07012010_013657

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

Still doesn't seem like i'm being redirected to anywhere

Very good

After you post Quick Scan....

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

========================================================

Disable your antivirus program.
Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

 

[chiby]

Quickscan Log:

 

[Broni]

Go ahead with steps from my reply #14.

 

[chiby]

About that report, I accidentally closed it and it's not under the REPORTS tab. The scan came up clean though. Umm...should i re-run the scan to get the report again?

 

[Broni]

That's fine

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[chiby]

Alright, thank you so much once again! Have a good evening

 

[Broni]

Same to you
Good luck and stay safe