Solved Unknown virus/redirection software

[Resolved] Unknown virus/redirection software

I appear to have a virus on this computer. I am occasionally redirected when clicking on websites from google. This includes well known sites such as bbc.co.uk. I was running mcafee internet security suite but this did not detect the problem. I installed AVG (trial version) but again this did not detect. I tried to reinstall Mcafee but was unable to, it claimed that i needed to reboot before an install was possible. I tried a reboot but the same error message appeared. On searching the web i found a solution was to edit the registry setting corresponding to the mcafee reboot request. I tried this but was unable to run regedit! on searching the windows/system32 folder i found that regedit.exe was missing. regedit32.exe is present though. I am now running Kaspersky but again no luck finding the problem.

I have downloaded dss.scr as advised to help with this post but it does not seem to open the logs i expect. I'm not sure if i have script blocking software!

Many thanks in advance.

Mike.

 

Hi mobtgmjb
Welcome to WindowsBBS

OK lets see if you can download and run this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks
Geri

 

Hi Geri,

Many thanks for responding to my question.

I've downloaded combofix.exe, switched off kaspersky and launched the program.

I get a small dialog box saying combofix is starting and then nothing. I've tried running this program on a different computer (my laptop, which is not infected) and it works fine! From this i noticed that combofix launches in dos so i ran cmd from programs\run but no dos window!

I dont know if this makes sense but when windows starts up, i see my desktop items, all of the startup programs begin to appear at the bottom right of the screen (next to the clock) and then the screen goes clear (except for my desktop wallpaper) and most of the startup progams have disappeared from the bottom right of the screen (with the exception of kaspersky and volume control). It seems as if i'm operating in a shell within windows! (i'm running XP pro service pack 3)

Just to let you know since my first post i have downloaded and run spybot and adaware but with the exception of a couple of cookies there doesnt seem to be any obvious problem.

Thanks Mike.

 

I have downloaded hijackthis and this runs OK. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:58:26, on 21/04/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061123
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061123
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061123
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe "
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe "
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [359F5809-00B8-4455-A73A-9EA62A51101B] "C:\Documents and Settings\All Users\Application Data\5378CDF0.exe "
O4 - HKLM\..\Run: [1268329661] "C:\Documents and Settings\All Users\Application Data\625646896\1268329661.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236072404625
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 8791 bytes

Thanks. Mike.

 

Hi
OK lets try this.

Delete the Combofix.exe that you have.

Download ComboFix from Here

Before saving it rename it to Mobofcix.exe then download it to your Desktop.

Please run it this way.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the log if that works.

Geri

 

Hi Geri,

Mike's away at the moment and has asked me to try the new Combofix you mention. Will give this a go now, meanwhile he's asked me tell you our problem seems similar to http://www.windowsbbs.com/malware-v...e-browser-hijack-unable-open-cmd-regedit.html. Hope this makes sense.

Thanks
Angie

 

Hi Geri,

I've tried the Combofix having downloaded it to the desktop and saved as Mobofcix.exe. Double-click from the desktop and a small window appears with a progress bar - when it goes to completed progress this window closes and nothing else happens. Presume this is the same problem Mike had with the program.

Angie

 

Hi
OK please do this.

Download RootRepeal.zip to your Desktop.

• Extract the compressed file to it's own folder.
• Open the folder and doubleclick on RootRepeal.exe to run it.
• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.

The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Thanks
Geri

 

Hi,

Thanks as always. I have run the RootRepeal scan and the report follows:-

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/27 10:59
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB62BF000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA63C000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB32B7000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\Logs\wbemess.log
Status: Size mismatch (API: 45000, Raw: 44616)

Path: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\av4.tmp
Status: Allocation size mismatch (API: 139395072, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP8\Report\01\0000007C_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66301da

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66307ae

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66321ea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6631b9c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662f950

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633b7c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66305ae

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662fd92

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662ff92

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6631eac

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6634084

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66300a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6630110

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6631d5e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633620

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66319f8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662fab2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66303b2

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633ba6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66302fe

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6630178

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662fe7c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662fc5a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633888

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662f5d2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6632a74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662f734

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633f56

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662f3d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb663208c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66306ac

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb663371a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633bd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb662fb08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633cb4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb6633de0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb663354c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb663047e

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb66304f0

Am sure it will make more sense to you than me!

Angie

 

Hi Angie
Try running Combofix in safe mode.

Thanks
Geri

 

Hi Geri,

Combofix seems to have worked in safe mode, here is the log:

ComboFix 09-04-01.01 - Genon 2009-04-02 17:26:26.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1798 [GMT 1:00]
Running from: c:\documents and settings\Genon\Desktop\Combofix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET


((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-02 13:34 . 2009-04-02 13:34 6,144 --ahs---- c:\windows\system32\access.ctl
2009-03-27 11:59 . 2009-04-02 17:13 8 --a------ c:\documents and settings\Genon\settings.dat
2009-03-13 13:17 . 2009-03-13 13:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-13 13:17 . 2009-03-13 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-09 14:10 . 2009-03-09 14:10 <DIR> d-------- c:\program files\Kaspersky Lab
2009-03-09 14:10 . 2009-04-02 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-09 14:10 . 2009-04-02 17:19 2,698,784 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-09 14:10 . 2009-04-02 17:31 557,088 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-09 14:10 . 2009-03-09 14:19 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-09 14:10 . 2009-03-09 14:19 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-09 14:10 . 2009-04-02 17:19 22,164 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-09 14:10 . 2009-04-02 17:31 2,984 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-09 14:09 . 2009-03-09 14:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-09 11:18 . 2009-03-09 11:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 11:07 . 2009-03-09 11:07 <DIR> d-------- c:\documents and settings\Genon\Application Data\McAfee
2009-03-09 10:45 . 2006-11-23 04:23 <DIR> d-------- c:\documents and settings\MBromley\Application Data\You've Got Pictures Screensaver
2009-03-09 10:45 . 2006-11-23 04:28 <DIR> d--h----- c:\documents and settings\MBromley\Application Data\Gtek
2009-03-09 10:45 . 2009-03-09 10:45 <DIR> d-------- c:\documents and settings\MBromley\Application Data\DellFaxCtr
2009-03-09 10:45 . 2007-01-17 18:24 <DIR> d-------- c:\documents and settings\MBromley\Application Data\AOL
2009-03-09 10:45 . 2009-03-09 14:06 <DIR> d-------- c:\documents and settings\MBromley
2009-03-06 10:49 . 2009-03-06 10:49 <DIR> d-------- c:\documents and settings\John Thain\Application Data\DellFaxCtr
2009-03-06 10:48 . 2006-11-23 04:23 <DIR> d-------- c:\documents and settings\John Thain\Application Data\You've Got Pictures Screensaver
2009-03-06 10:48 . 2009-03-09 15:00 <DIR> d--h----- c:\documents and settings\John Thain\Application Data\Gtek
2009-03-06 10:48 . 2007-01-17 18:24 <DIR> d-------- c:\documents and settings\John Thain\Application Data\AOL
2009-03-06 10:48 . 2009-03-09 14:06 <DIR> d-------- c:\documents and settings\John Thain
2009-03-05 10:23 . 2008-06-10 03:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-04 10:01 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-04 10:01 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-03 10:34 . 2009-03-03 10:34 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 11:59 --------- d-----w c:\program files\Sage Payroll
2009-03-09 14:00 --------- d--h--w c:\documents and settings\Paul Carr\Application Data\Gtek
2009-03-09 14:00 --------- d--h--w c:\documents and settings\Mike Birch\Application Data\Gtek
2009-03-09 14:00 --------- d--h--w c:\documents and settings\Genon\Application Data\Gtek
2009-03-09 14:00 --------- d--h--w c:\documents and settings\Angela Bromley\Application Data\Gtek
2009-03-09 14:00 --------- d--h--w c:\documents and settings\Administrator\Application Data\GTek
2009-03-09 14:00 --------- d-----w c:\program files\Common Files\Real
2009-03-09 13:59 --------- d-----w c:\program files\QuickTime
2009-03-09 13:19 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-09 10:58 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-05 09:23 --------- d-----w c:\program files\Java
2009-03-04 09:02 --------- d-----w c:\program files\Dl_cats
2009-03-03 09:39 --------- d-----w c:\program files\Microsoft Works
2009-02-05 12:37 --------- d-----w c:\documents and settings\Mike Birch\Application Data\DellFaxCtr
2009-02-05 12:13 --------- d-----w c:\documents and settings\Paul Carr\Application Data\DellFaxCtr
2007-06-14 13:23 1,031 --sh--w c:\windows\system\ws32ntfl.dat
2008-05-09 12:44 88 --sh--r c:\windows\system32\AE386239C7.sys
2002-04-16 10:27 5 --sha-w c:\windows\system32\CdI5T.drv
1998-03-20 00:00 1,048 --sha-w c:\windows\system32\flfnpy.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"FaxCenterServer "= "c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"dlcxmon.exe "= "c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-11-03 291720]
"MemoryCardManager "= "c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"DLCXCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"HP SchedIndexer "= "c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-04-22 94208]
"HP AutoIndexer "= "c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-04-22 90112]
"Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2008-04-09 515416]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-03-09 206088]
"SigmatelSysTrayApp "= "stsystra.exe" [2006-08-15 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Angela Bromley\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-06-01 430080]

c:\documents and settings\Genon\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-06-01 430080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe [2007-10-21 204800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "= c:\windows\system32\..\abhowfl.yaf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe "=
"c:\\WINDOWS\\system32\\dlcxcoms.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2008-04-09 64160]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2006-08-22 316992]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2008-04-09 13:56]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-359F5809-00B8-4455-A73A-9EA62A51101B - c:\documents and settings\All Users\Application Data\5378CDF0.exe
HKLM-Run-1268329661 - c:\documents and settings\All Users\Application Data\625646896\1268329661.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061123
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 17:31:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\dlcxcoms.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\windows\system32\hppapml0.exe
.
**************************************************************************
.
Completion time: 2009-04-02 17:34:24 - machine was rebooted [Genon]
ComboFix-quarantined-files.txt 2009-04-02 16:34:21

Pre-Run: 141,760,430,080 bytes free
Post-Run: 140,223,705,088 bytes free

176 --- E O F --- 2008-06-02 15:55:32

Thanks,

Mike.

 

Hi Mike
Please do this.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • c:\windows\system\ws32ntfl.dat
    c:\windows\system32\AE386239C7.sys
    c:\windows\system32\CdI5T.drv
    c:\windows\system32\flfnpy.sys
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Hi,

Did the jotti for all file paths you listed. Every one progressed OK but all 'Found Nothing'. Haven't posted the full reports here as I inadvertently deleted it all and didn't want to go through every scan again. Assure you every report was the same.

Thanks,
Angie

 

Hi Angie

Please see if Combofix will run in normal mode now and post the log.

If CF wants to update please allow it.

Thanks
Geri

 

Hi,

The combofix has worked and log posted below. We believe the problem may have been fixed somewhere during the process of these numerous scans and fixes however perhaps you can tell for sure from the following. Certainly the redirection to dodgy websites seems to have stopped.

Thank you for all of your help.

Angie

ComboFix 09-04-22.A2 - Administrator 22/04/2009 12:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1574 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-22 10:42 . 2009-04-22 11:01 9208 ----a-w c:\windows\system32\Config.MPF
2009-04-22 10:40 . 2009-04-22 10:40 -------- d-----w c:\documents and settings\LocalService\Application Data\SiteAdvisor
2009-04-22 10:40 . 2009-04-22 10:50 -------- d-----w c:\documents and settings\Administrator\Application Data\SiteAdvisor
2009-04-22 10:39 . 2006-03-03 07:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-22 10:38 . 2007-12-02 11:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-22 10:38 . 2007-11-22 05:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-22 10:38 . 2007-11-22 05:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-22 10:38 . 2007-11-22 05:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-22 10:38 . 2007-11-22 05:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-22 10:38 . 2007-07-13 05:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-21 15:31 . 2009-04-21 15:31 6144 --sha-w c:\windows\system32\access.ctl
2009-04-16 10:42 . 2001-08-17 21:36 8704 ----a-w c:\windows\system32\kbdjpn.dll
2009-04-16 10:42 . 2001-08-17 21:36 8704 ----a-w c:\windows\system32\dllcache\kbdjpn.dll
2009-04-16 10:42 . 2001-08-17 21:36 8192 ----a-w c:\windows\system32\kbdkor.dll
2009-04-16 10:42 . 2001-08-17 21:36 8192 ----a-w c:\windows\system32\dllcache\kbdkor.dll
2009-04-16 10:42 . 2001-08-17 13:55 6144 ----a-w c:\windows\system32\kbd101c.dll
2009-04-16 10:42 . 2001-08-17 13:55 6144 ----a-w c:\windows\system32\dllcache\kbd101c.dll
2009-04-16 10:42 . 2001-08-17 13:55 5632 ----a-w c:\windows\system32\kbd103.dll
2009-04-16 10:42 . 2001-08-17 13:55 5632 ----a-w c:\windows\system32\dllcache\kbd103.dll
2009-04-16 10:42 . 2008-04-14 00:09 6144 ----a-w c:\windows\system32\kbd106.dll
2009-04-16 10:42 . 2008-04-14 00:09 6144 ----a-w c:\windows\system32\dllcache\kbd106.dll
2009-04-16 10:42 . 2001-08-17 13:55 6144 ----a-w c:\windows\system32\kbd101b.dll
2009-04-16 10:42 . 2001-08-17 13:55 6144 ----a-w c:\windows\system32\dllcache\kbd101b.dll
2009-04-15 07:53 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 07:53 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 07:53 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 07:53 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 07:53 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 07:53 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 07:53 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 07:53 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 07:53 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 07:53 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 07:51 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 07:51 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 07:51 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-03-27 10:59 . 2009-04-02 16:13 8 ----a-w c:\documents and settings\Genon\settings.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 11:09 . 2009-04-22 10:42 9768 ----a-w C:\dlcx.log
2009-04-22 11:00 . 2009-04-22 10:38 -------- d-----w c:\program files\Common Files\McAfee
2009-04-22 10:59 . 2008-04-09 13:37 10076 ----a-w C:\aaw7boot.log
2009-04-22 10:41 . 2006-11-23 03:25 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-22 10:40 . 2009-04-22 10:40 -------- d-----w c:\program files\SiteAdvisor
2009-04-22 10:40 . 2009-04-22 10:37 -------- d-----w c:\program files\McAfee
2009-04-22 10:38 . 2009-04-22 10:38 -------- d-----w c:\program files\McAfee.com
2009-04-16 10:45 . 2007-03-22 19:14 -------- d-----w c:\documents and settings\Genon\Application Data\AdobeUM
2009-04-08 07:57 . 2007-06-14 14:24 -------- d-----w c:\program files\Sage Payroll
2009-04-03 07:53 . 2007-04-16 10:17 -------- d-----w c:\program files\Dl_cats
2009-03-30 10:21 . 2009-03-06 09:49 53944 ----a-w c:\documents and settings\John Thain\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-13 12:19 . 2009-03-13 12:17 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-13 12:19 . 2009-03-13 12:17 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-09 14:00 . 2009-03-06 09:48 -------- d--h--w c:\documents and settings\John Thain\Application Data\Gtek
2009-03-09 14:00 . 2009-02-05 12:37 -------- d--h--w c:\documents and settings\Mike Birch\Application Data\Gtek
2009-03-09 14:00 . 2009-02-05 12:12 -------- d--h--w c:\documents and settings\Paul Carr\Application Data\Gtek
2009-03-09 14:00 . 2007-06-14 12:19 -------- d--h--w c:\documents and settings\Angela Bromley\Application Data\Gtek
2009-03-09 14:00 . 2007-01-16 16:32 -------- d--h--w c:\documents and settings\Genon\Application Data\Gtek
2009-03-09 14:00 . 2006-11-23 03:28 -------- d--h--w c:\documents and settings\Administrator\Application Data\GTek
2009-03-09 14:00 . 2006-11-23 03:23 -------- d-----w c:\program files\Common Files\Real
2009-03-09 13:59 . 2006-11-23 03:23 -------- d-----w c:\program files\QuickTime
2009-03-09 13:09 . 2009-03-09 13:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-09 10:18 . 2009-03-09 10:18 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-09 10:07 . 2009-03-09 10:07 -------- d-----w c:\documents and settings\Genon\Application Data\McAfee
2009-03-09 09:45 . 2009-03-09 09:45 -------- d-----w c:\documents and settings\MBromley\Application Data\DellFaxCtr
2009-03-06 14:22 . 2004-08-11 17:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 12:16 . 2008-09-26 11:04 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-06 10:59 . 2006-11-23 03:31 53944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 09:49 . 2009-03-06 09:49 -------- d-----w c:\documents and settings\John Thain\Application Data\DellFaxCtr
2009-03-05 09:23 . 2006-11-23 03:16 -------- d-----w c:\program files\Java
2009-03-03 09:39 . 2006-11-23 03:28 -------- d-----w c:\program files\Microsoft Works
2009-03-03 09:34 . 2009-03-03 09:34 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-03 00:18 . 2006-11-23 03:17 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-11 17:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 11:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-23 16:01 . 2007-06-14 14:14 8354 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 02:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 02:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-11 17:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 17:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 17:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 17:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 19:29 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 17:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-15 19:59 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-11 17:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 19:59 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 19:59 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-11 17:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 17:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-15 19:59 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-11 17:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-06-14 13:16 . 2007-06-14 12:19 53168 ----a-w c:\documents and settings\Angela Bromley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-23 18:44 . 2007-03-23 18:44 128 ----a-w c:\documents and settings\Genon\Local Settings\Application Data\fusioncache.dat
2006-11-23 03:31 . 2009-03-09 09:45 35720 ----a-w c:\documents and settings\MBromley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-11-23 03:31 . 2009-02-05 12:37 35720 ----a-w c:\documents and settings\Mike Birch\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-11-23 03:31 . 2009-02-05 12:12 35720 ----a-w c:\documents and settings\Paul Carr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-11-23 03:31 . 2007-01-16 16:32 35720 ----a-w c:\documents and settings\Genon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-14 13:23 . 1602-07-12 21:55 1031 --sh--w c:\windows\system\ws32ntfl.dat
2008-05-09 12:44 . 2008-05-09 12:44 88 --sh--r c:\windows\system32\AE386239C7.sys
2002-04-16 10:27 . 2002-04-16 10:27 5 --sha-w c:\windows\system32\CdI5T.drv
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w c:\windows\system32\flfnpy.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"FaxCenterServer "= "c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"dlcxmon.exe "= "c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-11-03 291720]
"MemoryCardManager "= "c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"DLCXCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"HP SchedIndexer "= "c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-04-22 94208]
"HP AutoIndexer "= "c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-04-22 90112]
"Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2008-04-09 515416]
"SiteAdvisor "= "c:\program files\SiteAdvisor\6028\SiteAdv.exe" [2007-02-09 36904]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SigmatelSysTrayApp "= "stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Angela Bromley\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-6-1 430080]

c:\documents and settings\Genon\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-6-1 430080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe [2007-10-21 204800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe "=
"c:\\WINDOWS\\system32\\dlcxcoms.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 0302051240396708mcinstcleanup;McAfee Application Installer Cleanup (0302051240396708); [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2008-04-09 951632]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2008-04-09 64160]
S2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe [2006-10-11 532480]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2006-08-22 316992]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0302051240396708MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 12:56]

2009-04-22 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-22 12:32]

2009-04-22 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-22 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061123
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 12:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-22 12:10
ComboFix-quarantined-files.txt 2009-04-22 11:10
ComboFix2.txt 2009-04-02 16:34

Pre-Run: 139,598,032,896 bytes free
Post-Run: 139,595,071,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

220 --- E O F --- 2009-04-15 16:09

 

Hi Geri,

Just a quick update on the status of the computer.

I havent noticed a redirect problem for the last few weeks (but i have been using it a lot less for web browsing). Also regeit and cmd functions are now working. This seems to have changed since i ran combofix in safe mode. Could this have fixed the problem?

Thanks.

Mike

 

Hi

Please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time
  
  • c:\windows\system32\AE386239C7.sys
    c:\windows\system32\CdI5T.drv
    c:\windows\system32\flfnpy.sys
    
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Hi Geri,

Nothing found in the scans:

File: CdI5T.drv
Status: OK
MD5: ad15eef8d651130a9d2b20e0edc3b382
Packers detected: -

File: flfnpy.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 0a0eea206a299453f7b4d0a51f7fec74
Packers detected: -

File: AE386239C7.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: a2a6a735146677c37f7a539f8c23c4f4
Packers detected: -

Mike.

 

Hi Mike
OK that's good.

Now lets get a on line scan. Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Hi Geri,

I ran the scan and this is what it found:

Monday, April 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 27, 2009 15:08:15
Records in database: 2083316


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 59343
Threat name 1
Infected objects 0
Suspicious objects 5
Duration of the scan 01:02:31

File name Threat name Threats count
C:\Documents and Settings\Genon\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 5

The selected area was scanned.

Just to let you know I had to reinstall Mcafee as my temp licence to kaspersky ran out. After i re-installed it it detected the following:

RemAdm-ProcLaunch!171 (i think its detecting combofix as a virus)
Generic Backdoor.d
Spy-Agent.cm

And today (27th) it detected Generic.dx!c during a real-time scan (which again seems to be combofix).

Thanks,
Mike.