Solved Google Redirect

[Resolved] Google Redirect

I'm having a serious issue with some sort of malware right now. Results from google searches on both ie and firefox redirect to an advertising site. My Norton Antivirus cannot connect to the liveupdate server to update its protection files and I cannot view most webpages having anything to do with antimalware or antispyware software. Any help would be greatly appreciated. Thanks!

 

Attempts to fix

I cannot connect to the website in order to download the rsit tool. I cannot, in fact, connect to any website in order to download any malware-fixing tool. Other websites load fine, but websites hosting downloads for this software seem to be blocked by the malware.

 

Hi bsrrx
Do you have access to another computer where you can download and transfer a tool to the infected one and run it?

Geri

 

Should I download anyhthing in addition to the rsit tool while I have the opportunity to do so?

 

Hi
Yes please do this.

Download ComboFix from Here to your Desktop.

Run it this way on the infected machine.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Geri

 

Here are my RSIT logs. I downloaded Combofix onto a friends computer and copied to a disk to transfer to this computer. After copying to desktop I double-clicked and nothing happened. Does this have to be downloaded directly onto affected computer? Thanks so much for all your help!

Logfile of random's system information tool 1.04 (written by random/random)
Run by Bennie at 2008-11-16 22:33:29
Microsoft Windows XP Professional Service Pack 2
System drive C: has 27 GB (35%) free of 76 GB
Total RAM: 1023 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:32 PM, on 11/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Palm\Hotsync.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Bennie\Desktop\RSIT.exe
C:\Documents and Settings\Bennie\Desktop\Bennie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks\osCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AntiSpywareXP 2009] "C:\Program Files\AntiSpywareXP2009\AntiSpywareXP2009.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://*.turbotax.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8468 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Bennie.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-06-30 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility "=C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [2003-05-01 65536]
"ccApp "=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-10-28 107112]
"osCheck "=C:\Program Files\Norton AntiVirus\osCheck.exe [2006-09-05 26248]
"TkBellExe "=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-08-15 180269]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe []
"NSWosCheck "=C:\Program Files\Norton SystemWorks\osCheck.exe [2007-12-03 25472]
"Symantec PIF AlertEng "=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
"NvCplDaemon "=C:\WINDOWS\system32\NvCpl.dll [2008-05-03 13529088]
"NvMediaCenter "=C:\WINDOWS\system32\NvMcTray.dll [2008-05-03 86016]
"QuickTime Task "=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"AppleSyncNotifier "=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"iTunesHelper "=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"AntiSpywareXP 2009 "=C:\Program Files\AntiSpywareXP2009\AntiSpywareXP2009.exe /hide []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-05 68856]
"EA Core "=C:\Program Files\Electronic Arts\EADM\Core.exe [2008-06-13 2752512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Audible Download Manager.lnk - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-05-15 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\System32\NavLogon.dll [2001-09-24 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1
"DisableStatusMessages "=0
"DisableCMD "=0
"DisableTaskMgr "=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=0
"NoDrives "=0
"NoViewOnDrive "=0
"ForceClassicControlPanel "=1
"NofolderOptions "=0
"NoFind "=0
"NoLogoff "=0
"NoSetFolders "=0
"NoViewContextMenu "=0
"Norun "=0
"NoDesktop "=0
"HideClock "=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\EA SPORTS\MVP Baseball 2005\mvp2005.exe "= "C:\Program Files\EA SPORTS\MVP Baseball 2005\mvp2005.exe:*isabled:mvp2005 "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe "= "C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax "
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe "= "C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager "
"C:\Program Files\Ruckus Player\Ruckus.exe "= "C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus "
"C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe "= "C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe:*:Enabled:mlb-nexdef-autobahn "
"C:\Program Files\Bonjour\mDNSResponder.exe "= "C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour "
"C:\Program Files\iTunes\iTunes.exe "= "C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes "
"E:\Ben's Applications\bittorrent\bittorrent.exe "= "E:\Ben's Applications\bittorrent\bittorrent.exe:*:Enabled:BitTorrent "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

======File associations======

.bat - edit - %SystemRoot%\System32\NOTEPAD.EXE %1 "
.ini - open - %SystemRoot%\System32\NOTEPAD.EXE %1 "

======List of files/folders created in the last 1 months======

2008-11-16 22:25:54 ----D---- C:\rsit
2008-11-12 22:10:41 ----D---- C:\!KillBox
2008-11-09 10:36:30 ----A---- C:\WINDOWS\Sysvxd.exe
2008-10-29 13:49:45 ----D---- C:\Documents and Settings\All Users\Application Data\HotSync
2008-10-29 08:00:21 ----A---- C:\WINDOWS\zaxuju.com
2008-10-29 08:00:21 ----A---- C:\Program Files\Common Files\vybizyri.com
2008-10-29 07:59:02 ----A---- C:\WINDOWS\system32\wini10801.exe
2008-10-29 07:55:51 ----A---- C:\WINDOWS\system32\delself.bat

======List of files/folders modified in the last 1 months======

2008-11-16 22:29:34 ----D---- C:\Program Files\Mozilla Firefox
2008-11-16 22:23:48 ----D---- C:\WINDOWS\Temp
2008-11-16 18:54:57 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-16 18:36:28 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-16 09:09:51 ----D---- C:\WINDOWS\Prefetch
2008-11-14 23:30:36 ----D---- C:\WINDOWS\system32
2008-11-14 23:30:35 ----D---- C:\WINDOWS\system32\drivers
2008-11-12 21:56:17 ----SD---- C:\WINDOWS\Tasks
2008-11-12 21:29:26 ----D---- C:\Program Files
2008-11-11 00:37:20 ----D---- C:\Documents and Settings\Bennie\Application Data\Ruckus Network
2008-11-09 10:36:30 ----D---- C:\WINDOWS
2008-11-05 23:49:11 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-11-02 07:33:11 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-30 12:32:10 ----SHD---- C:\WINDOWS\Installer
2008-10-30 12:32:10 ----D---- C:\Config.Msi
2008-10-29 18:06:22 ----A---- C:\WINDOWS\imsins.BAK
2008-10-29 09:22:06 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-29 09:18:10 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-10-29 09:18:06 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-29 09:18:05 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-29 08:00:21 ----D---- C:\Program Files\Common Files
2008-10-29 07:57:46 ----RSHDC---- C:\WINDOWS\system32\dllcache

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-03 37376]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2003-06-25 66992]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2003-06-25 24698]
R1 DVDVRRdr_xp;DVDVRRdr_xp; C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2003-06-25 146560]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2007-11-30 279088]
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2007-11-30 43696]
R1 StyleXPHelper;StyleXPHelper; \??\C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2008-10-03 187952]
R2 GBFSHook;GBFSHook; C:\WINDOWS\system32\drivers\GBFSHook.sys [2006-07-19 15360]
R3 als4k;Avance Wave Audio Miniport Driver (WDM); C:\WINDOWS\system32\drivers\als4000.sys [2000-01-14 25674]
R3 ALS4KMF;ALS4KMF; C:\WINDOWS\system32\drivers\mf.sys [2004-08-03 63744]
R3 alsgame;Gameport for ALS4000 (WDM); C:\WINDOWS\system32\drivers\alsgame.sys [1999-09-10 15088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 fixustor;fixustor; C:\WINDOWS\system32\drivers\fixustor.sys [2004-05-11 6656]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HCF_MSFT;HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [2001-08-17 907456]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081105.004\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081105.004\NAVEX15.SYS []
R3 NPDriver;Norton UnErase Protection Driver; \??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-03 6554496]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2008-10-03 12848]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2008-10-03 146096]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2008-10-03 39984]
R3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20081104.001\SymIDSCo.sys []
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2008-10-03 35120]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2008-10-03 27696]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
S1 rxp;rxp; \??\C:\WINDOWS\system32\drivers\rxp.sys []
S2 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINDOWS\System32\DRIVERS\atinmdxx.sys [2001-09-26 11280]
S3 ati2mtaa;ati2mtaa; C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2001-09-27 285088]
S3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-05-15 745984]
S3 atimtag;atimtag; C:\WINDOWS\System32\DRIVERS\atimtag.sys []
S3 atinrvxx;ATI WDM Rage Theater Video; C:\WINDOWS\System32\DRIVERS\atinrvxx.sys [2001-09-26 65104]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2008-02-07 16694]
S3 pfsvgae;pfsvgae; \??\C:\DOCUME~1\Bryan\LOCALS~1\Temp\pfsvgae.sys []
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver; C:\WINDOWS\System32\DRIVERS\PRISMUSB.sys [2003-04-10 636502]
S3 SDdriver;SDdriver; \??\C:\WINDOWS\system32\Drivers\sddriver.sys []
S3 slabbus;CP2101 USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2004-03-25 52384]
S3 slabser;CP2101 USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2004-03-25 84512]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2007-11-30 317616]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 VIAudio;VIA AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\viaudios.sys [2003-02-26 370048]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-10-28 107624]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-10-28 107624]
R2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-10-28 107624]
R2 GBPoll;GoBack Polling Service; C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe [2006-07-19 595632]
R2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-10-28 107624]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 NProtectService;Norton UnErase Protection; C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE [2005-11-03 95832]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-03 159812]
R2 Speed Disk service;Speed Disk service; C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE [2005-11-03 176193]
R2 SymAppCore;Symantec AppCore Service; C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe [2006-09-02 46736]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2001-05-01 53248]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
R3 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2008-04-16 1251720]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2000-11-30 57344]
S2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
S2 StyleXPService;StyleXPService; C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe [2003-12-20 303104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-30 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ISPwdSvc;Symantec IS Password Validation; C:\Program Files\Norton AntiVirus\isPwdSvc.exe [2006-09-05 79496]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 SandraDataSrv;SiSoftware Database Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe [2007-12-12 213176]
S3 SandraTheSrv;SiSoftware Sandra Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe [2007-12-12 1253568]
S4 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-05-15 516096]

-----------------EOF-----------------

 

Hi
Are you sure you got the program and not a short cut to Combofix? Did the icon have a little arrow on it?

 

No arrow on the icon, and it's a .exe file. Good question, though, I'm sure I'll pull something like that somewhere along the way.

 

Lets see if this will work.

Right click on it and click Rename, rename it to fixcombo.exe OK any prompts and see if it will run.

 

Worked like a charm!


ComboFix 08-11-16.04 - Bennie 2008-11-17 0:58:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Online Security Guide.url
c:\documents and settings\All Users\Start Menu\Security Troubleshooting.url
c:\program files\WinBudget
c:\program files\WinBudget\bin\matrix.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\_scui.cpl
c:\windows\system32\DelSelf.bat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\TDSSmhxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSpqxt.dll
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihl.log
c:\windows\system32\uninstall.exe
c:\windows\system32\wini10801.exe
c:\windows\Sysvxd.exe

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-16 22:25 . 2008-11-16 22:26 <DIR> d-------- C:\rsit
2008-11-12 22:10 . 2008-11-12 22:10 <DIR> d-------- C:\!KillBox
2008-10-29 13:49 . 2008-10-29 13:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\HotSync
2008-10-29 08:00 . 2008-10-29 08:00 19,805 --a------ c:\documents and settings\All Users\Application Data\tiluna.dat
2008-10-29 08:00 . 2008-10-29 08:00 19,648 --a------ c:\windows\jidax._sy
2008-10-29 08:00 . 2008-10-29 08:00 19,479 --a------ c:\program files\Common Files\ulyres.reg
2008-10-29 08:00 . 2008-10-29 08:00 18,700 --a------ c:\windows\powivoh.dl
2008-10-29 08:00 . 2008-10-29 08:00 18,090 --a------ c:\program files\Common Files\vybizyri.com
2008-10-29 08:00 . 2008-10-29 08:00 17,554 --a------ c:\windows\eqebos.inf
2008-10-29 08:00 . 2008-10-29 08:00 16,278 --a------ c:\windows\zaxuju.com
2008-10-29 08:00 . 2008-10-29 08:00 15,912 --a------ c:\windows\system32\nidyk.sys
2008-10-29 08:00 . 2008-10-29 08:00 14,004 --a------ c:\windows\system32\eqyjyge.lib
2008-10-29 08:00 . 2008-10-29 08:00 13,258 --a------ c:\windows\fagoborisy.dat
2008-10-29 08:00 . 2008-10-29 08:00 13,085 --a------ c:\windows\tixyhigol.dat
2008-10-29 08:00 . 2008-10-29 08:00 12,291 --a------ c:\windows\yfuheqo.lib
2008-10-29 08:00 . 2008-10-29 08:00 10,420 --a------ c:\windows\umaqujy.ban
2008-10-28 15:56 . 2008-10-28 15:56 <DIR> d-------- c:\documents and settings\Mom And Dad\Application Data\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 05:37 --------- d-----w c:\documents and settings\Bennie\Application Data\Ruckus Network
2008-11-06 04:49 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-29 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-29 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-29 13:00 19,149 ----a-w c:\program files\Common Files\uqefocutac.lib
2008-10-16 22:58 --------- d-----w c:\documents and settings\Bennie\Application Data\goombah
2008-10-10 15:15 --------- d-----w c:\program files\VideoLAN
2008-10-05 22:38 --------- d-----w c:\program files\iTunes
2008-10-05 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-05 22:37 --------- d-----w c:\program files\iPod
2008-10-03 18:34 625,032 ----a-w c:\windows\system32\SymNeti.dll
2008-10-03 18:34 242,056 ----a-w c:\windows\system32\SymRedir.dll
2008-10-03 18:14 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 18:14 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 18:14 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
2008-10-03 18:14 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 18:14 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 18:14 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 18:14 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 18:14 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 18:14 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-26 23:17 --------- d-----w c:\program files\Warcraft II BNE
2008-09-24 03:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-23 12:53 --------- d-----w c:\program files\Electronic Arts
2008-09-23 12:52 3,136 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-19 16:20 --------- d-----w c:\program files\Bonjour
2008-09-19 16:18 --------- d-----w c:\program files\QuickTime
2008-09-19 16:17 --------- d-----w c:\program files\Common Files\Apple
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-05-02 18:55 21,872 ----a-w c:\documents and settings\Bennie\Application Data\GDIPFONTCACHEV1.DAT
2008-01-26 13:07 21,872 -c--a-w c:\documents and settings\Mom And Dad\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-05 68856]
"EA Core "= "c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility "= "c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-10-28 107112]
"osCheck "= "c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-15 180269]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NSWosCheck "= "c:\program files\Norton SystemWorks\osCheck.exe" [2007-12-03 25472]
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-05-15 845408]
HOTSYNCSHORTCUTNAME.lnk - c:\palm\Hotsync.exe [2004-06-09 471040]
Norton GoBack.lnk - c:\program files\Norton SystemWorks\Norton GoBack\GBTray.exe [2006-07-19 861872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "= 0 (0x0)
"ForceClassicControlPanel "= 1 (0x1)
"NoLogoff "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff "= 0 (0x0)
"NoSetFolders "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

R3 als4k;Avance Wave Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [2005-04-02 25674]
R3 ALS4KMF;ALS4KMF;c:\windows\system32\drivers\mf.sys [2001-08-17 63744]
R3 alsgame;Gameport for ALS4000 (WDM);c:\windows\system32\drivers\alsgame.sys [2005-04-02 15088]
R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2006-03-11 6656]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys []
S3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2001-09-27 285088]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\Bryan\LOCALS~1\Temp\pfsvgae.sys []
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\PRISMUSB.sys [2005-07-30 636502]
S4 hpt3xx;hpt3xx; []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-10-31 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Bennie.job
- c:\progra~1\NORTON~2\Navw32.exe [2006-09-07 01:38]

2008-10-27 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2007-12-03 00:41]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-AntiSpywareXP 2009 - c:\program files\AntiSpywareXP2009\AntiSpywareXP2009.exe
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Bennie\Application Data\Mozilla\Firefox\Profiles\ji3j661n.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-USfficial&hl=en&tab=wn
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 01:10:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath "= "\systemroot\system32\drivers\TDSSmhxt.sys "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
-> c:\windows\System32\NavLogon.dll
.
Completion time: 2008-11-17 1:13:01
ComboFix-quarantined-files.txt 2008-11-17 06:12:56

Pre-Run: 29,380,247,552 bytes free
Post-Run: 32,701,353,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional (bootscreen)" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect

207 --- E O F --- 2008-01-09 20:50:39

 

Hi
OK great.
The worst part is over.

I need to get some sleep, work tomorrow.

I'll go through the log tomorrow and give you more instructions then.

Geri

 

Sounds great (except for work)! Thanks so much for your help.

 

Hi
OK please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
c:\documents and settings\All Users\Application Data\tiluna.dat
c:\windows\jidax._sy
c:\program files\Common Files\ulyres.reg
c:\windows\powivoh.dl
c:\program files\Common Files\vybizyri.com
c:\windows\eqebos.inf
c:\windows\zaxuju.com
c:\windows\system32\nidyk.sys
c:\windows\system32\eqyjyge.lib
c:\windows\fagoborisy.dat
c:\windows\tixyhigol.dat
c:\windows\yfuheqo.lib
c:\windows\umaqujy.ban
c:\program files\Common Files\uqefocutac.lib

Folder::
c:\documents and settings\All Users\Application Data\Trymedia 

Please post the Combofix log.

Thanks
Geri

 

Here's the combofix log. Websites no longer appear blocked and google searches no longer redirect. Joy!

ComboFix 08-11-16.05 - Bennie 2008-11-17 21:17:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -5:00]
Running from: c:\documents and settings\Bennie\Desktop\fixcombo.exe
Command switches used :: c:\documents and settings\Bennie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\tiluna.dat
c:\program files\Common Files\ulyres.reg
c:\program files\Common Files\uqefocutac.lib
c:\program files\Common Files\vybizyri.com
c:\windows\eqebos.inf
c:\windows\fagoborisy.dat
c:\windows\jidax._sy
c:\windows\powivoh.dl
c:\windows\system32\eqyjyge.lib
c:\windows\system32\nidyk.sys
c:\windows\tixyhigol.dat
c:\windows\umaqujy.ban
c:\windows\yfuheqo.lib
c:\windows\zaxuju.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\tiluna.dat
c:\documents and settings\All Users\Application Data\Trymedia
c:\documents and settings\All Users\Application Data\Trymedia\data\{230B4687-912C-BF65-2962-519942F8FA4E}
c:\documents and settings\All Users\Application Data\Trymedia\data\{2F6D71E8-0088-01C7-8C65-22C89698D50D}
c:\documents and settings\All Users\Application Data\Trymedia\data\{7D7B7B0D-9C58-4BE3-B069-6A574912DFC1}
c:\documents and settings\All Users\Application Data\Trymedia\data\{C4D1423E-978E-89DB-8839-95EAEB289AFA}
c:\program files\Common Files\ulyres.reg
c:\program files\Common Files\uqefocutac.lib
c:\program files\Common Files\vybizyri.com
c:\windows\eqebos.inf
c:\windows\fagoborisy.dat
c:\windows\jidax._sy
c:\windows\powivoh.dl
c:\windows\system32\eqyjyge.lib
c:\windows\system32\nidyk.sys
c:\windows\tixyhigol.dat
c:\windows\umaqujy.ban
c:\windows\yfuheqo.lib
c:\windows\zaxuju.com

.
((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-17 05:44 . 2008-11-17 07:07 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-17 05:42 . 2008-08-14 04:51 138,368 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-16 22:25 . 2008-11-16 22:26 <DIR> d-------- C:\rsit
2008-11-12 22:10 . 2008-11-12 22:10 <DIR> d-------- C:\!KillBox
2008-10-29 13:49 . 2008-10-29 13:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\HotSync
2008-10-28 15:56 . 2008-10-28 15:56 <DIR> d-------- c:\documents and settings\Mom And Dad\Application Data\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 02:06 --------- d-----w c:\program files\Norton SystemWorks
2008-11-18 02:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-17 21:07 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-11 05:37 --------- d-----w c:\documents and settings\Bennie\Application Data\Ruckus Network
2008-10-29 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:58 --------- d-----w c:\documents and settings\Bennie\Application Data\goombah
2008-10-10 15:15 --------- d-----w c:\program files\VideoLAN
2008-10-05 22:38 --------- d-----w c:\program files\iTunes
2008-10-05 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-05 22:37 --------- d-----w c:\program files\iPod
2008-10-03 18:34 625,032 ----a-w c:\windows\system32\SymNeti.dll
2008-10-03 18:34 242,056 ----a-w c:\windows\system32\SymRedir.dll
2008-10-03 18:14 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 18:14 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 18:14 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
2008-10-03 18:14 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 18:14 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 18:14 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 18:14 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 18:14 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 18:14 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-26 23:17 --------- d-----w c:\program files\Warcraft II BNE
2008-09-24 03:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-23 12:53 --------- d-----w c:\program files\Electronic Arts
2008-09-23 12:52 3,136 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-19 16:20 --------- d-----w c:\program files\Bonjour
2008-09-19 16:18 --------- d-----w c:\program files\QuickTime
2008-09-19 16:17 --------- d-----w c:\program files\Common Files\Apple
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-20 05:38 659,456 ----a-w c:\windows\system32\wininet.dll
2008-05-02 18:55 21,872 ----a-w c:\documents and settings\Bennie\Application Data\GDIPFONTCACHEV1.DAT
2008-01-26 13:07 21,872 -c--a-w c:\documents and settings\Mom And Dad\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-11-17_ 1.11.57.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
- 2007-02-28 09:08:48 2,136,064 -c----w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 -c----w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 -c----w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 -c----w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-17 11:38:05 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2007-10-11 06:13:44 1,023,488 ----a-w c:\windows\system32\browseui.dll
+ 2008-08-20 05:38:45 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2007-10-11 06:13:44 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-08-20 05:38:39 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2007-10-11 06:13:44 1,054,208 -c--a-w c:\windows\system32\danim.dll
+ 2008-08-20 05:38:40 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2007-10-11 06:13:44 1,023,488 -c----w c:\windows\system32\dllcache\browseui.dll
+ 2008-08-20 05:38:45 1,023,488 -c----w c:\windows\system32\dllcache\browseui.dll
- 2004-08-04 03:10:38 274,304 -c--a-w c:\windows\system32\dllcache\bthport.sys
+ 2008-06-13 13:10:50 272,128 -c--a-w c:\windows\system32\dllcache\bthport.sys
- 2007-10-11 06:13:44 151,040 -c----w c:\windows\system32\dllcache\cdfview.dll
+ 2008-08-20 05:38:39 151,040 -c----w c:\windows\system32\dllcache\cdfview.dll
- 2007-10-11 06:13:44 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-08-20 05:38:40 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2007-10-11 06:13:44 357,888 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-08-20 05:38:40 357,888 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2007-10-11 06:13:44 205,312 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-08-20 05:38:40 205,312 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22 253,952 -c----w c:\windows\system32\dllcache\es.dll
- 2007-10-11 06:13:44 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-08-20 05:38:40 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2007-10-10 11:16:27 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-08-19 09:30:39 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2007-10-11 06:13:44 251,392 -c----w c:\windows\system32\dllcache\iepeers.dll
+ 2008-08-20 05:38:41 251,392 -c----w c:\windows\system32\dllcache\iepeers.dll
- 2007-08-21 06:15:44 683,520 -c----w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c----w c:\windows\system32\dllcache\inetcomm.dll
- 2007-10-11 06:13:44 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-08-20 05:38:41 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2007-10-11 06:13:44 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-08-20 05:38:44 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
- 2004-08-04 04:56:44 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-06-24 16:23:05 74,240 -c----w c:\windows\system32\dllcache\mscms.dll
- 2007-10-30 10:16:33 3,058,688 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-08-20 05:38:47 3,060,224 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2007-10-11 06:13:45 449,024 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-08-20 05:38:43 449,024 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2007-10-11 06:13:45 146,432 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-08-20 05:38:41 146,432 -c----w c:\windows\system32\dllcache\msrating.dll
- 2007-10-11 06:13:45 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-08-20 05:38:41 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2007-06-26 06:08:16 1,104,896 -c----w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c----w c:\windows\system32\dllcache\msxml3.dll
- 2006-08-17 12:28:27 332,288 -c----w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c----w c:\windows\system32\dllcache\netapi32.dll
- 2007-02-28 09:08:48 2,136,064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
- 2007-10-11 06:13:45 39,424 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-08-20 05:38:41 39,424 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c----w c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c----w c:\windows\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w c:\windows\system32\dllcache\rmcast.sys
- 2007-10-11 06:13:45 1,494,528 -c----w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-08-20 05:38:42 1,494,528 -c----w c:\windows\system32\dllcache\shdocvw.dll
- 2007-10-11 06:13:45 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-08-20 05:38:44 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
- 2006-08-14 10:34:41 332,928 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 -c----w c:\windows\system32\dllcache\srv.sys
- 2007-10-11 06:13:45 615,424 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-08-20 05:38:45 615,936 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2007-12-18 14:40:58 417,792 -c----w c:\windows\system32\dllcache\vbscript.dll
- 2007-03-08 13:47:48 1,843,584 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-10-11 06:13:45 659,456 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-08-20 05:38:43 659,456 -c----w c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 03:14:16 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2004-08-04 03:10:38 274,304 -c----w c:\windows\system32\drivers\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\system32\drivers\bthport.sys
- 2006-07-13 08:48:58 202,240 -c--a-w c:\windows\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2006-08-14 10:34:41 332,928 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
- 2007-10-11 06:13:44 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-08-20 05:38:40 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2007-10-11 06:13:44 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-08-20 05:38:40 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2005-07-26 04:39:45 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2007-10-11 06:13:44 55,808 -c----w c:\windows\system32\extmgr.dll
+ 2008-08-20 05:38:40 55,808 ------w c:\windows\system32\extmgr.dll
- 2007-07-17 20:47:07 121,336 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-17 21:07:21 121,336 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2007-10-11 06:13:44 251,392 ----a-w c:\windows\system32\iepeers.dll
+ 2008-08-20 05:38:41 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2007-08-21 06:15:44 683,520 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2007-10-11 06:13:44 96,256 -c--a-w c:\windows\system32\inseng.dll
+ 2008-08-20 05:38:41 96,256 ----a-w c:\windows\system32\inseng.dll
- 2007-11-14 07:26:56 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
- 2007-10-11 06:13:44 16,384 -c--a-w c:\windows\system32\jsproxy.dll
+ 2008-08-20 05:38:44 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2005-06-29 01:46:00 74,240 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2007-10-30 10:16:33 3,058,688 ----a-w c:\windows\system32\mshtml.dll
+ 2008-08-20 05:38:47 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2007-10-11 06:13:45 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-08-20 05:38:43 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2007-10-11 06:13:45 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-08-20 05:38:41 146,432 ----a-w c:\windows\system32\msrating.dll
- 2007-10-11 06:13:45 532,480 -c--a-w c:\windows\system32\mstime.dll
+ 2008-08-20 05:38:41 532,480 ----a-w c:\windows\system32\mstime.dll
- 2006-08-17 12:28:27 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2007-02-28 08:38:55 2,057,600 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2007-02-28 09:10:57 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
- 2007-10-11 06:13:45 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-08-20 05:38:41 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
- 2007-10-11 06:13:45 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-08-20 05:38:42 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2007-10-11 06:13:45 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-08-20 05:38:44 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2006-12-10 18:10:02 14,640 -c----w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-11-13 11:31:11 60,416 -c----w c:\windows\system32\tzchange.exe
+ 2008-07-14 11:09:18 62,976 ------w c:\windows\system32\tzchange.exe
- 2007-10-11 06:13:45 615,424 ----a-w c:\windows\system32\urlmon.dll
+ 2008-08-20 05:38:45 615,936 ----a-w c:\windows\system32\urlmon.dll
- 2004-08-04 04:56:48 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
- 2007-10-29 10:26:53 115,712 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-08-19 09:20:32 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-05 68856]
"EA Core "= "c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility "= "c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-10-28 107112]
"osCheck "= "c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-15 180269]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NSWosCheck "= "c:\program files\Norton SystemWorks\osCheck.exe" [2007-12-03 25472]
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-05-15 845408]
HOTSYNCSHORTCUTNAME.lnk - c:\palm\Hotsync.exe [2004-06-09 471040]
Norton GoBack.lnk - c:\program files\Norton SystemWorks\Norton GoBack\GBTray.exe [2006-07-19 861872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "= 0 (0x0)
"ForceClassicControlPanel "= 1 (0x1)
"NoLogoff "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff "= 0 (0x0)
"NoSetFolders "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

R3 als4k;Avance Wave Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [2005-04-02 25674]
R3 ALS4KMF;ALS4KMF;c:\windows\system32\drivers\mf.sys [2001-08-17 63744]
R3 alsgame;Gameport for ALS4000 (WDM);c:\windows\system32\drivers\alsgame.sys [2005-04-02 15088]
R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2006-03-11 6656]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys []
S3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2001-09-27 285088]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\Bryan\LOCALS~1\Temp\pfsvgae.sys []
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\PRISMUSB.sys [2005-07-30 636502]
S4 hpt3xx;hpt3xx; []
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-10-31 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Bennie.job
- c:\progra~1\NORTON~2\Navw32.exe [2006-09-07 01:38]

2008-10-27 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2007-12-03 00:41]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 21:24:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
-> c:\windows\System32\NavLogon.dll
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
-> c:\windows\System32\NavLogon.dll
.
Completion time: 2008-11-17 21:28:05
ComboFix-quarantined-files.txt 2008-11-18 02:27:55
ComboFix2.txt 2008-11-17 06:13:04

Pre-Run: 30,938,247,168 bytes free
Post-Run: 30,924,886,016 bytes free

343 --- E O F --- 2008-11-17 12:09:02

 

Hi
OK good.

Please do the following.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now a on line scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Sorry for the wait, ran ATF and am running Kapersky now. 2 hours into scan with nothing evil found yet. Crossing fingers!

 

Here are the results from Kapersky...


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 18, 2008 20:05:17
Records in database: 1392277
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 120906
Threat name: 7
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 06:34:29


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmhxt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wini10801.exe.vir Infected: Trojan.Win32.FraudPack.gsr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.bf 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0573972.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574972.sys Infected: Backdoor.Win32.TDSS.bkw 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574973.dll Infected: Backdoor.Win32.TDSS.blh 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574974.dll Infected: Backdoor.Win32.TDSS.asz 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574975.dll Infected: Backdoor.Win32.TDSS.atb 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574986.cpl Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.bf 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574989.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574990.exe Infected: Trojan.Win32.FraudPack.gsr 1

The selected area was scanned.

 

Hi
OK great.

Please do this.

Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Delete RSIT.exe and this folder C:\rsit

Now run another Kaspersky scan and let me know if it comes up clean, if not then post the report.

Thanks
Geri

 

Sorry to take so long, things got kind of crazy at work this week. (It snows and the world goes insane!) Here's the new kapsersky log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 22, 2008 00:20:17
Records in database: 1400738
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 129098
Threat name: 7
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 07:11:29


File name / Threat name / Threats count
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0573972.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574972.sys Infected: Backdoor.Win32.TDSS.bkw 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574973.dll Infected: Backdoor.Win32.TDSS.blh 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574974.dll Infected: Backdoor.Win32.TDSS.asz 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574975.dll Infected: Backdoor.Win32.TDSS.atb 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574986.cpl Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.bf 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574989.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{939ECDE4-AA4F-45B1-8C37-3BD155E08E05}\RP567\A0574990.exe Infected: Trojan.Win32.FraudPack.gsr 1

The selected area was scanned.