Inactive Contracted Internet security 2010

[Inactive] Contracted Internet security 2010

Firstly I'd like to say thank you for your time and assistance in advance and that I've tried to research my problem to the best of my ability and search the forum topics for a related topic dealing with a Google chrome redirect/hijacking.

Yesterday (1-18-10) my computer was infected with the Internet security 2010 virus while my sister was checking her e-mail. Using an MS-DOS application called rkill, i was able to stop Internet security 2010 from popping up repeatedly on my desktop. I the downloaded and ran Malwarebytes anti-malware program which temporarily removed the desktop hijack and allowed me to delete the Internet security 2010 file from my computer. I thought things were back to normal and proceeded with using Google chrome to browse the internet.Some time later Internet Security 2010 repopulated itself and since then Google chrome has been redirected when trying to view web pages. I then used Firefox to do some research online into what was going on and some possible ways of fixing this. I read that i should delete any old files of Java and download the latest version in its place. I also downloaded Spybot search and destroy and it deleted most files it found to be the culprit and said that it would delete the rest upon start up. it was unable to do so. I downloaded Hijack this but was unable to tell the good files from the bad. I deleted and reinstalled Google chrome after updating to the latest version of Java because i read that the hijack was possibly due the old Java files being corrupted. Google chrome is still being redirect however.
Here are the DDS logs requested

DDS (Ver_09-12-01.01) - NTFSx86
Run by edluva at 19:31:06.01 on Tue 01/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.89 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Philips\SPC610NC\Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\edluva\Desktop\dds.scr
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe "
uRun: [Google Update] "c:\documents and settings\edluva\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" - "http://www.globalchange.umich.edu/globalchange1/current/lectures/evolving_earth/evolving_earth.html "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Monitor] c:\windows\philips\spc610nc\Monitor.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\vpro610.lnk - c:\windows\VPro610.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\vprope~1.lnk - c:\windows\VPro610.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edluva\applic~1\mozilla\firefox\profiles\jrtkjr5n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\edluva\application data\mozilla\firefox\profiles\jrtkjr5n.default\extensions\firetorrent@radicalsoft.com\components\firetorrent.dll
FF - plugin: c:\documents and settings\edluva\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\edluva\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\edluva\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-7 64288]
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2005-9-6 19478]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2005-9-6 635017]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2005-9-6 431236]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-19 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-11 24652]
S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [2005-9-6 64093]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.SYS [2009-2-2 492416]

=============== Created Last 30 ================

2010-01-19 14:02:59 0 d-----w- c:\program files\Trend Micro
2010-01-19 11:18:44 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-19 09:31:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-19 09:31:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-19 05:34:46 0 d-----w- c:\docume~1\edluva\applic~1\Malwarebytes
2010-01-19 05:34:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 05:34:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-01-19 05:34:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 05:34:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 13:42:12 0 ----a-w- c:\windows\system32\15724.exe
2010-01-18 13:01:52 0 ----a-w- c:\windows\system32\26500.exe
2010-01-18 12:41:50 0 ----a-w- c:\windows\system32\6334.exe
2010-01-18 12:21:47 0 ----a-w- c:\windows\system32\18467.exe
2010-01-18 11:56:21 1 ----a-w- C:\s
2010-01-12 21:45:42 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 10:29:34 0 dc-h--w- c:\windows\ie8

==================== Find3M ====================

2009-11-14 13:40:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2008-01-25 16:08:34 56 --sh--r- c:\windows\system32\520FF4C154.sys
2008-01-25 16:08:41 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:34:37.68 ===============

..I also saved the attachment but understood it to read that i was'nt to post it unless asked to.
Thanks again for your time. I hope the information i provided is useful and pleasantly concise. I look forward to hearing from you, Ed.

 

Hi Ed. Please post the Attach.txt file from DDS.

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

c:\windows\system32\15724.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\18467.exe

=====

 

Ok, i went to Jotti's to scan those files and all of them came back as "folder is empty(0 bytes)!"
and here is the attachment


DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/22/2005 3:42:17 AM
System Uptime: 1/19/2010 3:50:03 AM (16 hours ago)

Motherboard: Compal | | 08A0
Processor: AMD Athlon(tm) 64 Processor 3400+ | Socket A | 797/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 93 GiB total, 14.026 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_00D4&SUBSYS_006D103C&REV_A4\3&13C0B0C5&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_00D4&SUBSYS_006D103C&REV_A4\3&13C0B0C5&0&09
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_104C&DEV_8201&SUBSYS_006D103C&REV_01\4&2FF3801D&0&2250
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_104C&DEV_8201&SUBSYS_006D103C&REV_01\4&2FF3801D&0&2250
Service:

==== System Restore Points ===================

RP1212: 10/22/2009 7:35:35 AM - System Checkpoint
RP1213: 10/23/2009 7:55:44 AM - System Checkpoint
RP1214: 10/24/2009 9:30:07 AM - System Checkpoint
RP1215: 10/25/2009 10:38:55 PM - System Checkpoint
RP1216: 10/27/2009 7:53:30 AM - System Checkpoint
RP1217: 10/28/2009 8:56:14 AM - System Checkpoint
RP1218: 10/29/2009 9:50:15 AM - System Checkpoint
RP1219: 10/30/2009 10:04:52 AM - System Checkpoint
RP1220: 10/31/2009 10:40:22 AM - System Checkpoint
RP1221: 11/1/2009 1:39:13 PM - System Checkpoint
RP1222: 11/2/2009 2:04:48 PM - System Checkpoint
RP1223: 11/3/2009 3:03:48 PM - System Checkpoint
RP1224: 11/4/2009 4:02:28 AM - Software Distribution Service 3.0
RP1225: 11/5/2009 7:32:27 AM - System Checkpoint
RP1226: 11/6/2009 11:38:21 AM - System Checkpoint
RP1227: 11/7/2009 12:32:11 PM - System Checkpoint
RP1228: 11/8/2009 12:37:29 PM - System Checkpoint
RP1229: 11/9/2009 1:36:48 PM - System Checkpoint
RP1230: 11/10/2009 9:19:59 PM - System Checkpoint
RP1231: 11/11/2009 9:52:53 PM - System Checkpoint
RP1232: 11/12/2009 3:02:53 AM - Software Distribution Service 3.0
RP1233: 11/13/2009 3:06:25 AM - System Checkpoint
RP1234: 11/14/2009 12:02:39 PM - System Checkpoint
RP1235: 11/15/2009 1:07:23 PM - System Checkpoint
RP1236: 11/16/2009 4:38:52 PM - System Checkpoint
RP1237: 11/18/2009 9:52:36 PM - System Checkpoint
RP1238: 11/19/2009 10:05:15 PM - System Checkpoint
RP1239: 11/21/2009 1:05:50 AM - System Checkpoint
RP1240: 11/22/2009 1:42:29 AM - System Checkpoint
RP1241: 11/23/2009 2:42:33 AM - System Checkpoint
RP1242: 11/24/2009 3:42:32 AM - System Checkpoint
RP1243: 11/25/2009 4:21:22 AM - System Checkpoint
RP1244: 11/26/2009 3:00:32 AM - Software Distribution Service 3.0
RP1245: 11/27/2009 5:27:01 PM - System Checkpoint
RP1246: 11/29/2009 12:39:16 AM - System Checkpoint
RP1247: 11/30/2009 11:38:53 AM - System Checkpoint
RP1248: 12/1/2009 10:50:52 PM - System Checkpoint
RP1249: 12/3/2009 7:27:02 AM - System Checkpoint
RP1250: 12/4/2009 8:41:56 AM - System Checkpoint
RP1251: 12/5/2009 6:57:15 PM - System Checkpoint
RP1252: 12/8/2009 2:57:11 PM - System Checkpoint
RP1253: 12/9/2009 3:04:08 AM - Software Distribution Service 3.0
RP1254: 12/10/2009 4:52:27 AM - System Checkpoint
RP1255: 12/11/2009 5:40:44 AM - System Checkpoint
RP1256: 12/12/2009 3:50:39 PM - System Checkpoint
RP1257: 12/13/2009 10:28:13 PM - System Checkpoint
RP1258: 12/14/2009 11:22:10 PM - System Checkpoint
RP1259: 12/16/2009 12:04:37 AM - System Checkpoint
RP1260: 12/17/2009 6:41:02 AM - System Checkpoint
RP1261: 12/18/2009 12:19:33 PM - System Checkpoint
RP1262: 12/19/2009 4:04:19 PM - System Checkpoint
RP1263: 12/21/2009 6:04:38 AM - System Checkpoint
RP1264: 12/22/2009 8:02:07 PM - System Checkpoint
RP1265: 12/23/2009 8:36:09 PM - System Checkpoint
RP1266: 12/24/2009 11:27:07 PM - System Checkpoint
RP1267: 12/26/2009 12:20:44 AM - System Checkpoint
RP1268: 12/27/2009 1:14:17 AM - System Checkpoint
RP1269: 12/28/2009 1:26:47 AM - System Checkpoint
RP1270: 12/29/2009 4:21:41 AM - System Checkpoint
RP1271: 12/30/2009 10:39:44 AM - System Checkpoint
RP1272: 12/31/2009 11:31:50 AM - System Checkpoint
RP1273: 1/1/2010 11:46:08 AM - System Checkpoint
RP1274: 1/2/2010 3:41:19 PM - System Checkpoint
RP1275: 1/3/2010 11:42:29 PM - System Checkpoint
RP1276: 1/5/2010 3:13:08 AM - System Checkpoint
RP1277: 1/6/2010 3:18:49 AM - System Checkpoint
RP1278: 1/7/2010 12:13:01 PM - System Checkpoint
RP1279: 1/8/2010 4:30:47 AM - Installed Windows Internet Explorer 8.
RP1280: 1/9/2010 3:00:24 AM - Software Distribution Service 3.0
RP1281: 1/10/2010 3:24:24 AM - System Checkpoint
RP1282: 1/11/2010 7:31:17 AM - System Checkpoint
RP1283: 1/12/2010 11:04:03 AM - System Checkpoint
RP1284: 1/13/2010 3:03:10 AM - Software Distribution Service 3.0
RP1285: 1/13/2010 8:35:28 AM - Unsigned driver install
RP1286: 1/13/2010 8:40:58 AM - Unsigned driver install
RP1287: 1/14/2010 8:50:19 AM - System Checkpoint
RP1288: 1/15/2010 9:11:53 AM - System Checkpoint
RP1289: 1/16/2010 2:00:54 PM - System Checkpoint
RP1290: 1/18/2010 4:55:47 AM - System Checkpoint
RP1291: 1/18/2010 11:14:05 PM - Restore Operation
RP1292: 1/19/2010 3:21:14 AM - Removed J2SE Runtime Environment 5.0 Update 11
RP1293: 1/19/2010 3:23:02 AM - Removed Java(TM) 6 Update 3
RP1294: 1/19/2010 3:24:29 AM - Removed Java(TM) SE Runtime Environment 6 Update 1
RP1295: 1/19/2010 3:30:06 AM - Installed Java(TM) 6 Update 17
RP1296: 1/19/2010 7:15:05 PM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.0
Adobe Shockwave Player 11
Agere Systems AC'97 Modem
AutoUpdate
BufferChm
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Direct Show Ogg Vorbis Filter (remove only)
DivX
DivX Player
F2100_doccd
Fax
Google Chrome
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Update
ImageMixer for Sony DVD Handycam
Java(TM) 6 Update 17
Junk Mail filter update
K-Lite Mega Codec Pack 5.1.0
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Move Media Player
Mozilla Firefox (3.0.17)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Windows 2000/XP Display Drivers
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Smart Menus (Windows Live Toolbar)
Sony DVD Handycam USB Driver
SoulSeek 157 NS 13
SoulSeek Client 156c
SPC 610NC Laptop Camera
Spybot - Search & Destroy
SureThing Decal Maker Standard
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Manager
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Internet Mail
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/19/2010 3:22:20 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
1/18/2010 7:50:39 AM, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
1/18/2010 7:33:13 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/18/2010 11:12:34 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
1/18/2010 11:12:34 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
1/14/2010 5:30:41 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 00904B950C6A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/13/2010 4:55:30 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00904B950C6A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/13/2010 3:59:35 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.
1/13/2010 1:37:01 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 00904B950C6A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Thank you for your reply Crunchie, ed

 

Ok, I am not confident that those files are 0 bytes, so we will run another tool and see if they come up.

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

Here is the Combofix log

ComboFix 10-01-19.04 - edluva 01/20/2010 2:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.209 [GMT -6:00]
Running from: c:\documents and settings\edluva\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\edluva\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\edluva\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\VPro610.lnk
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\VProperty.lnk
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\recycler\S-1-5-21-3798042370-78231701-2856801765-1003
c:\recycler\S-1-5-21-390217201-1081325239-663910372-1007
C:\s
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\AutoRun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-19 14:02 . 2010-01-19 14:02 -------- d-----w- c:\program files\Trend Micro
2010-01-19 11:18 . 2010-01-19 11:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-19 09:31 . 2010-01-19 09:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-19 07:46 . 2010-01-19 07:46 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-19 07:46 . 2010-01-19 07:46 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-01-19 07:46 . 2010-01-19 07:46 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-01-19 07:46 . 2010-01-19 07:46 -------- d-----w- c:\documents and settings\HelpAssistant\Owner
2010-01-19 06:51 . 2010-01-19 06:51 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-01-19 06:49 . 2010-01-19 06:49 -------- d-----w- c:\documents and settings\HelpAssistant\Contacts
2010-01-19 05:34 . 2010-01-19 05:34 -------- d-----w- c:\documents and settings\edluva\Application Data\Malwarebytes
2010-01-19 05:34 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 05:34 . 2010-01-19 05:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-01-19 05:34 . 2010-01-19 05:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 05:34 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 21:45 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 10:29 . 2010-01-08 10:30 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 13:40 . 2005-11-27 22:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-01-19 09:59 . 2004-11-16 12:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-19 09:30 . 2004-08-25 12:01 -------- d-----w- c:\program files\Java
2010-01-14 13:36 . 2009-12-17 13:14 -------- d-----w- c:\documents and settings\edluva\Application Data\U3
2010-01-10 02:53 . 2004-11-17 21:55 -------- d-----w- c:\program files\Soulseek
2009-11-14 13:40 . 2009-11-14 13:40 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 13:40 . 2009-11-07 16:23 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2008-01-25 16:08 . 2008-01-21 18:03 56 --sh--r- c:\windows\system32\520FF4C154.sys
2008-01-25 16:08 . 2008-01-21 17:54 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW "= "nview.dll" [2003-12-11 856133]
"Google Update "= "c:\documents and settings\edluva\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-19 135664]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-12-06 282624]
"Monitor "= "c:\windows\Philips\SPC610NC\Monitor.exe" [2006-11-03 319488]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2010-01-19 149280]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Soulseek\\slsk.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3246:TCP "= 3246:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/7/2009 7:31 AM 64288]
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [9/6/2005 5:29 PM 19478]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [9/6/2005 5:29 PM 635017]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [9/6/2005 5:29 PM 431236]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/19/2009 1:38 AM 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1181328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/11/2008 5:00 PM 24652]
S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [9/6/2005 5:29 PM 64093]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.SYS [2/2/2009 1:33 AM 492416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:33]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:33]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:33]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:33]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:33]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-854245398-839522115-1004Core.job
- c:\documents and settings\edluva\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-19 10:53]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-854245398-839522115-1004UA.job
- c:\documents and settings\edluva\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-19 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\edluva\Application Data\Mozilla\Firefox\Profiles\jrtkjr5n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\edluva\Application Data\Mozilla\Firefox\Profiles\jrtkjr5n.default\extensions\firetorrent@radicalsoft.com\components\firetorrent.dll
FF - plugin: c:\documents and settings\edluva\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\edluva\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\edluva\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Soulseek2 - c:\documents and settings\edluva\Desktop\SoulseekNS\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 02:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1140)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\windows\system32\msiexec.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-20 03:13:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-20 09:13

Pre-Run: 14,912,921,600 bytes free
Post-Run: 16,167,190,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DEFFB606D05506AAE5C2B1AD6DA5CC20

 

Looks like it cleaned out a few there. How is the pc now?

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

 

My PC seems to be working much better, thank you. Google chrome no longer redirects and Internetsecurity2010 doesn't pop up on my desktop any longer.
I have a version of hijackthis, is it the same one or should I still D/L the executable?
Again, thank you for everything.It's a load off my mind.ed

 

No worries . I do not know which version of Hijackthis you have, but do a scan and post it up and I will soon see.

======

Let's get rid of Combofix now that we are finished with it.

• Click START then RUN
• Now type Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
  
  ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
  [*]

==========

It is also a requirement (and a good idea) of the forum that you do an online scan to ensure your pc is clean, so please do the following;

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color= "blue"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color= "#3333FF"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • [color= "#6666CC"]Extended[/color]
  • Scan Options:
    • [color= "#6666CC"]Scan Archives[/color]
    • [color= "#6666CC"]Scan Mail Bases[/color]
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the [color= "Navy"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.


To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color= "Navy"]Save as [/color]prompt, [color= "navy"]Save in[/color] area, select: Desktop
In the [color= "navy"]File name[/color] area, use KScan, or something similar
In [color= "navy"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color= "Navy"]Kaspersky Online Scanner Report [/color]in your reply.

 

Here is the Hijackthis log.I'm waiting for Kaspersky to finish it's diagnosis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:26 AM, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Philips\SPC610NC\Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\edluva\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\edluva\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\edluva\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\Philips\SPC610NC\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\edluva\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" - "http://www.globalchange.umich.edu/globalchange1/current/lectures/evolving_earth/evolving_earth.html "
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://i2.photobucket.com/albums/y30/coloradodiva/picture bkground/womanvampsm.jpg
O24 - Desktop Component 1: (no name) - http://people.freenet.de/quinnay/plush/22.jpg
O24 - Desktop Component 2: (no name) - http://www.johnjohnjesse.net/site/gallery/images/images/break.jpg
O24 - Desktop Component 3: (no name) - http://mail.google.com/mail/?view=att&disp=emb&attid=0.1&th=109cdc5465f20350

--
End of file - 8382 bytes

 

Can do this whilst the scan is happening;

Can you please do the following.

===============

You will have to disable Spybot's Teatimer before we begin, as it will interfere with the fix. To do this can you start Spybot and go to the Mode button and select Advanced. Go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit ".
Download View attachment ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Do not forget to re-enable teatimer when we are done .
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

===============

Go to Add/Remove programs and uninstall the following, if present:

Viewpoint Manager,Viewpoint Media Player,Viewpoint Toolbar

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked ".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Viewpoint

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.


Will await the Kaspersky log.

 

Sorry i haven't been able to get back to you in a while.I'm starting a new job and have been quite busy with all involved in that.I've tried twice to run the Kaspersky tool and both times when i return to my computer to see the log it's created, my computer has been restarted and there is no log present.I may be doing something incorrect? I'm going to try and run it again, as im going to bed now.I shall check in the morning for the log report.Thank you for your time, Ed

 

No worries. I will be here.

It may be best to actually be present during the scan so that you can see what is happening.