Solved Browser HiJack, Unable to open cmd/regedit

Welcome back


I know it's frustrating.....
Check your Private Message box


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {06433BFE-4946-4E89-823D-CD359C81CD06} - (no file)
O2 - BHO: (no name) - {1A1DAC8C-074D-440F-8707-7009A672D7D1} - (no file)
O2 - BHO: (no name) - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)



Let's try this next scanner.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
• http://www.pchell.com/support/safemode.shtml
•
Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now ", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.

* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis "

* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.

* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.

* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable ".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.

* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply post:


DrWeb.cvs report
New HJT log

 

Also,
I want you to open task manager
End task on all your security related programs (mainly Norton ones it will allow)

Now try to run ComboFix and MBAM again.

Let me know how it goes.

 

Let me know how you make out.

 

Dr.Web CureIt was taking a long time to scan. I waited 3 hours and it didn't finish. I stopped it just now as I really have to use to computer. I will kick it off again before I sleep tonight and post the log tomorrow. Thank you for waiting.

 

Post the log when you can.

 

DrWeb.csv:
GTDownDE_87.ocx;C:\i386;Adware.Gdown;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0144974.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP631\A0144974.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP631;Archive contains infected objects;;
A0144974.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP631;Container contains infected objects;Moved.;
A0144975.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP631\A0144975.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP631;Archive contains infected objects;;
A0144975.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP631;Container contains infected objects;Moved.;
A0149494.reg;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP634;Trojan.StartPage.1505;Deleted.;
A0149495.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP634\A0149495.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP634;Archive contains infected objects;;
A0149495.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP634;Container contains infected objects;Moved.;
A0149496.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP634\A0149496.exe;Tool.Prockill;;
A0149496.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP634;Archive contains infected objects;Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;

 

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:28 PM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5178 bytes

 

welcome to win32 vitro!!! I'm still disinfecting...real bad dude virus
it takes over all permissions and infects all exe txt html...even pdf...
even after running hijack ......you name it ...it still hides and waits...
you really have to start from scratch..SORRY!! buy a used hd at a pawnshop
and reinstall windows...disconnect you existing hd and get avast and zonealarm
on your new one..after all the windows update...reintroduce your infected hd in safemode
and scan the hell out of it!! right click on all your directory's(one at a time) and change permission under security) to yourself(admin) you'll see weird users..that the virus...
im doing this as Im typing...in safemode...Man its long....it's the only way !! Sorry!!
Magoo Cheers...

 

How did you know I've win32 vitro?

Your system was infected even after you reformat the original HD and resinstalled everything???

 

Welcome back

I'd like for you to run FixPolicies.exe again.

Then see if you can search for and open up gpedit.msc and check if regedit and cmd is disabled there.


Want to check if the two following items can be downloaded and run.

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment.
No need for that though ..... just post it as you would any other log.




Addiditonally, download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked.
  
  Uncheck the following ...
  • 
    
    [*]Sections
    [*]IAT/EAT
    [*]Drives/Partition other than Systemdrive (typically C:\)
    [*]Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

If successful you'll need multiple post.

 

I'm not exactly sure where to look for cmd and regedit setting in gpedit.msc, but I looked around and I didn't see anything about them.

DDR not working...

Below is from GMER Rootkit Scanner:

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-17 20:02:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF784387E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7843C10]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device ED332D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

 

Guess what!?

cmd, regedit and right click menu -> Edit on batch file are working! I will try to see if I can run some of the other tools you mentioned before.

 

Fingers (and toes) are crossed.

 

What did you do to correct this?

 

.....

 

shhhhhhhhhh
just keep going.......

 

Finally, here is ComboFix log...

ComboFix 09-03-15.01 - xxx 2009-03-17 20:22:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.750.471 [GMT -4:00]
Running from: c:\documents and settings\xxx\Desktop\Spybot\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-16 20:08 . 2009-03-16 20:52 <DIR> d-------- c:\documents and settings\xxx\DoctorWeb
2009-03-16 12:33 . 2009-03-17 20:22 <DIR> d-------- c:\windows\system32\CatRoot2
2009-03-15 21:34 . 2009-03-15 21:34 <DIR> d-------- C:\_OTMoveIt
2009-03-15 20:02 . 2009-03-15 20:02 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-15 16:22 . 2009-03-15 16:22 <DIR> d-------- c:\program files\Malwarebytes Anti-Malware
2009-03-15 16:22 . 2009-03-15 16:22 <DIR> d-------- c:\documents and settings\xxx\Application Data\Malwarebytes
2009-03-15 16:22 . 2009-03-15 16:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-15 16:22 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 16:22 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-15 15:12 . 2009-03-15 15:12 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-03-15 15:09 . 2009-03-15 15:10 <DIR> d-------- c:\windows\ERUNT
2009-03-15 15:00 . 2009-03-15 15:55 <DIR> d-------- C:\SDFix
2009-03-15 14:16 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-15 14:16 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-15 14:16 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-14 13:34 . 2009-03-17 20:27 <DIR> d-------- c:\documents and settings\xxx\Tracing
2009-03-14 13:33 . 2009-03-14 13:33 <DIR> d-------- c:\program files\Microsoft
2009-03-14 13:32 . 2009-03-14 13:32 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-14 13:32 . 2009-03-14 13:33 <DIR> d-------- c:\program files\Windows Live
2009-03-14 13:30 . 2009-03-14 13:30 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-12 12:40 . 2009-01-09 15:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-03-12 00:24 . 2009-03-12 00:24 <DIR> d-------- c:\documents and settings\xxx\Application Data\Windows Search
2009-03-12 00:05 . 2009-03-12 00:05 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-12 00:05 . 2009-03-12 00:05 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-12 00:05 . 2009-03-12 00:05 <DIR> d-------- c:\program files\MSBuild
2009-03-12 00:04 . 2009-03-12 00:05 <DIR> d-------- C:\4130176174e94660b653
2009-03-12 00:04 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-12 00:04 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-12 00:04 . 2008-07-06 06:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-12 00:04 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-12 00:04 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-12 00:04 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-12 00:04 . 2008-07-06 08:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-11 23:56 . 2009-03-11 23:56 <DIR> d-------- c:\documents and settings\xxx\Application Data\Windows Desktop Search
2009-03-11 23:55 . 2009-03-11 23:55 <DIR> d-------- c:\program files\Windows Desktop Search
2009-03-11 23:53 . 2008-03-07 13:02 192,000 --------- c:\windows\system32\dllcache\offfilt.dll
2009-03-11 23:53 . 2008-03-07 13:02 98,304 --------- c:\windows\system32\dllcache\nlhtml.dll
2009-03-11 23:53 . 2008-03-07 13:02 29,696 --------- c:\windows\system32\dllcache\mimefilt.dll
2009-03-11 23:22 . 2008-12-20 19:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-03-11 23:22 . 2007-04-17 05:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-11 23:22 . 2007-03-08 01:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-11 23:22 . 2008-12-20 19:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-11 23:22 . 2008-12-20 19:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-11 23:22 . 2008-12-20 19:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-03-11 23:22 . 2008-12-20 19:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-03-11 23:22 . 2008-12-20 19:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-11 23:22 . 2008-12-19 05:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-11 18:03 . 2009-03-11 17:17 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-11 17:07 . 2009-03-11 17:16 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-11 16:57 . 2009-03-11 16:57 <DIR> d-------- c:\program files\Lavasoft
2009-03-11 16:57 . 2009-03-11 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-11 16:57 . 2009-03-11 16:57 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-10 19:15 . 2009-03-10 19:15 <DIR> d-------- c:\program files\Trend Micro
2009-03-10 16:47 . 2009-03-10 16:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-10 16:47 . 2009-03-10 16:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 14:17 . 2009-03-10 14:17 <DIR> d-------- C:\9809705b9130bbf9d1
2009-03-03 17:53 . 2009-03-03 17:53 <DIR> d-------- c:\documents and settings\xxx\Application Data\LinkedIn
2009-03-03 16:51 . 2009-03-03 16:51 <DIR> d---s---- c:\documents and settings\Guest\UserData
2009-03-03 16:49 . 2009-03-03 16:49 <DIR> d-------- c:\documents and settings\Guest\Application Data\LinkedIn
2009-02-26 04:03 . 2009-03-01 01:10 <DIR> d-------- c:\program files\PDF Editor 2
2009-02-26 04:03 . 2009-02-26 04:03 75,264 --a------ c:\windows\cadkasdeinst01e.exe
2009-02-26 03:59 . 2009-02-26 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-02-24 21:44 . 2009-02-24 21:44 202,072 -ra------ c:\windows\cpnprt2.cid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 16:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-16 04:52 --------- d-----w c:\program files\Norton AntiVirus
2009-03-16 04:51 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-12 00:43 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-11 16:25 --------- d-----w c:\program files\DynDNS Updater
2009-02-28 15:06 --------- d-----w c:\program files\Common Files\Adobe
2009-02-12 17:09 --------- d-----w c:\program files\Coupons
2009-02-10 16:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-10 16:57 --------- d-----w c:\program files\TD AMERITRADE
2009-02-07 00:58 --------- d-----w c:\program files\DTOOLS
2009-02-06 19:38 --------- d-----w c:\documents and settings\xxx\Application Data\SUPERAntiSpyware.com
2009-02-06 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-06 19:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-02 20:06 --------- d-----w c:\documents and settings\xxx\Application Data\Nitro PDF
2009-02-02 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\Nitro PDF
2009-01-29 22:11 --------- d-----w c:\documents and settings\xxx\Application Data\Uniblue
2009-01-29 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"Samsung PanelMgr "= "c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-02-25 536576]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2005-04-13 98304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "= c:\windows\system32\..\bags.onn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12 "=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"WMPNSCFG "=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-Watch "=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"DVDLauncher "= "c:\program files\CyberLink\PowerDVD\DVDLauncher.exe "
"NAV CfgWiz "=c:\program files\Common Files\Symantec Shared\SymProbe.exe -r "c:\program files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT "
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched "=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\WINDOWS\\system32\\ftp.exe "=
"c:\\Program Files\\NetMeeting\\conf.exe "=
"c:\\WINDOWS\\system32\\rtcshare.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S2 NavManUSB;NAVMAN GPS USB Adaptor Driver Service;c:\windows\system32\drivers\NvMnUSB.SYS [2005-07-28 16128]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59d32850-abe2-11db-bc79-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
\Shell\directx\command - d:\directx\dxsetup.exe
\Shell\setup\command - D:\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Linked&In Search
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 20:27:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-03-17 20:31:36 - machine was rebooted [xxx]
ComboFix-quarantined-files.txt 2009-03-18 00:31:14

Pre-Run: 678,739,968 bytes free
Post-Run: 851,472,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-03-16 23:47:33

 

Here is a new NJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:44 PM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5168 bytes

 

Anything else I should run? Thanks!

 

Just a little bit left to do.

How's the computer now?


Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the text in blue below in it (don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2 "=" "

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards.



Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.





Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.