Inactive [InActive] Internet Issues

I have read a few threads on the site trying to fix my problem myself, but I can not seem to fix it on my own. Starting about a week ago, I got the spyware XP antivirus 2009. I attempted, and I thought successfully, eliminated it from my computer using a few different softwares, but I am still having some residual issues. My two main problems are that when I search for something on google and click a link, I get redirected to an ad. My second problem is that my overall internet connectivity is being "interrupted" (the word used on the error screen). I can load my home page and get about two pages from that point before I have to click the next page I go to about 20 or so times to get the page to finally load. I wouldn't think this was too big of a problem if it hadn't been persistent for two days now. If there is any information that is needed to help, I will be glad to provide it.

Thanks in advance.

Here is my HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:22 PM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c16/v22.154/qboax10.cab
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5334 bytes

 

Ok so the internet connectivity issue seems to be isolated to where I live. I just go to work and the problem is gone... I should've known that could have been the problem....

 

sorry posted twice..

 

Hi jacketsfan4life
Welcome to WindowsBBS.

Could you tell me what programs you tried using?

If you did not run Malwarebyes Anti-Malware please do so. Here are the instructions.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Also please do this.

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool.
• At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.
• If prompted by your firewall to allow RSIT to access the internet, please allow it. It will be updating yourr version of HijackThis.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of both here in your next reply.

Please post the MBAM log and the RSIT logs.

Thanks
Geri

 

There is the malwarebytes log file. I tried to click on the RSIT link but it says that it failed to connect. I googled it and when I found the link there and pasted it into my URL it still failed to connect.


Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

10/29/2008 12:58:07 AM
mbam-log-2008-10-29 (00-58-07).txt

Scan type: Quick Scan
Objects scanned: 60215
Time elapsed: 18 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

Ok so I checked Google to see if those files being erased fixed the problem, and it did as far as I can tell. So from my end things are fixed unless you think the fact I can't get to that site is a problem.

 

Hi
You have a pretty nasty Rootkit.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Thanks
Geri

 

When I try to click on that link I also get this error message like when I try to download the RSIT file as well.

Failed to Connect

Firefox can't establish a connection to the server at www.bleepingcomputer.com
Though the site seems valid, the browser was unable to establish a connection.

* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.

 

Hi

Please Open MBAM and make sure you update the files, then run MBAM again and then see if you can get to the Combofix site.

If that doesn't work

Do you have access to another computer that is not infected where you can download and transfer a tool to the infected computer?

Thanks
Geri

 

I got my friend to send me the combofix.exe here is the log:

ComboFix 08-10-30.04 - Stephen Chambless 2008-10-29 23:36:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT -4:00]
Running from: C:\Documents and Settings\Stephen Chambless\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Stephen Chambless\Cookies\tameripog.bat
C:\Documents and Settings\Stephen Chambless\Local Settings\Temporary Internet Files\duwotyduz.bin
C:\Documents and Settings\Stephen Chambless\Local Settings\Temporary Internet Files\pile.ban
C:\Documents and Settings\Stephen Chambless\Local Settings\Temporary Internet Files\qamyvim.db
C:\Documents and Settings\Stephen Chambless\Local Settings\Temporary Internet Files\qyhaj.pif
C:\WINDOWS\system32\wini10801.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-29 23:29 . 2008-10-29 23:29 26,624 --a------ C:\WINDOWS\system32\TDSSoiqh.dll
2008-10-27 14:30 . 2008-10-27 14:30 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-27 14:21 . 2008-10-27 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-27 14:21 . 2008-10-27 14:21 <DIR> d-------- C:\HJT
2008-10-27 13:12 . 2008-10-29 00:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 13:12 . 2008-09-02 00:24 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 13:12 . 2008-09-02 00:24 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 12:24 . 2003-03-18 17:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-21 12:23 . 2008-10-21 12:23 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-21 09:59 . 2008-10-21 09:59 <DIR> d-------- C:\Program Files\uTorrent
2008-10-21 09:59 . 2008-10-22 07:53 <DIR> d-------- C:\Documents and Settings\Stephen Chambless\Application Data\uTorrent
2008-10-20 21:59 . 2008-10-21 12:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-10-20 18:58 . 2008-10-20 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-20 17:47 . 2008-10-20 17:47 17,923 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\azucy.sys
2008-10-20 17:47 . 2008-10-20 17:47 17,289 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\lanum.bat
2008-10-20 17:47 . 2008-10-20 17:47 17,033 --a------ C:\WINDOWS\vyhisopag.vbs
2008-10-20 17:47 . 2008-10-20 17:47 15,255 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\ocapyl.bat
2008-10-20 17:47 . 2008-10-20 17:47 13,694 --a------ C:\WINDOWS\odehojevu.inf
2008-10-20 17:47 . 2008-10-20 17:47 13,176 --a------ C:\WINDOWS\system32\zuloso.lib
2008-10-20 17:47 . 2008-10-20 17:47 12,924 --a------ C:\Program Files\Common Files\ofuweko.vbs
2008-10-20 17:47 . 2008-10-20 17:47 12,287 --a------ C:\WINDOWS\system32\avehyv.com
2008-10-20 17:47 . 2008-10-20 17:47 11,897 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\iditi.sys
2008-10-20 17:47 . 2008-10-20 17:47 11,466 --a------ C:\WINDOWS\system32\lanopuz.dat
2008-10-20 17:47 . 2008-10-20 17:47 11,256 --a------ C:\WINDOWS\uxyzafimo._sy
2008-10-20 17:47 . 2008-10-20 17:47 11,061 --a------ C:\Program Files\Common Files\ybimuhyne.bin
2008-10-20 17:47 . 2008-10-20 17:47 10,278 --a------ C:\Documents and Settings\All Users\Application Data\vubuhib.bin
2008-10-20 16:35 . 2008-10-29 10:05 73,728 --a------ C:\WINDOWS\system32\TDSSxfum.dll
2008-10-20 16:35 . 2008-10-29 10:05 51,200 --a------ C:\WINDOWS\system32\drivers\TDSSmqlt.sys
2008-10-20 16:35 . 2008-10-29 10:05 31,232 --a------ C:\WINDOWS\system32\TDSSbvqp.dll
2008-10-20 16:35 . 2008-10-29 10:05 29,696 --a------ C:\WINDOWS\system32\TDSSbrrn.dll
2008-10-20 16:35 . 2008-10-29 10:05 26,624 --a------ C:\WINDOWS\system32\TDSSoiqd.dll
2008-10-20 16:35 . 2008-10-21 15:16 12,288 --a------ C:\WINDOWS\system32\TDSSrhjm.dll
2008-10-20 16:35 . 2008-10-29 10:04 3,530 --a------ C:\WINDOWS\system32\TDSSlxwp.dll
2008-10-20 16:35 . 2008-10-29 10:05 164 --a------ C:\WINDOWS\system32\TDSSwpyh.dat
2008-09-28 14:09 . 2008-09-28 14:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-04 17:31 . 2008-09-04 17:31 0 --a------ C:\WINDOWS\system32\B.tmp
2008-09-04 16:58 . 2008-09-04 16:58 <DIR> d-------- C:\Documents and Settings\Stephen Chambless\Application Data\Malwarebytes
2008-09-04 16:58 . 2008-09-04 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 03:00 --------- d-----w C:\Program Files\Full Tilt Poker
2008-10-20 21:47 14,034 ----a-w C:\Program Files\Common Files\gorazu.lib
2008-10-05 01:27 --------- d-----w C:\Documents and Settings\Stephen Chambless\Application Data\Move Networks
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 05:06 --------- d-----w C:\Documents and Settings\Stephen Chambless\Application Data\Apple Computer
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE "= "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI "= "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-05 184320]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 126976]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-10-28 C:\WINDOWS\agrsmmsg.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-02 38528]
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
SafeBoot-TDSSmqlt.sys


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Stephen Chambless\Application Data\Mozilla\Firefox\Profiles\nay39jzu.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 23:43:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath "= "\systemroot\system32\drivers\TDSSpqxt.sys "
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-29 23:49:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-30 03:49:13

Pre-Run: 65,702,809,600 bytes free
Post-Run: 67,567,149,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

168 --- E O F --- 2008-10-24 07:00:33

 

Hi
OK Please run Combofix again, it missed a number of files it should have deleted and I'm not sure why?

Make sure you disable any real time protection that is running.
McAfee

Please post the new log it gives you.

Thanks
Geri

 

Second time through:

ComboFix 08-10-30.04 - Stephen Chambless 2008-10-30 0:46:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.259 [GMT -4:00]
Running from: C:\Documents and Settings\Stephen Chambless\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Drivers\TDSSmqlt.sys
C:\WINDOWS\system32\TDSSbrrn.dll
C:\WINDOWS\system32\TDSSbvqp.dll
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSoeqh.log
C:\WINDOWS\system32\TDSSoiqd.dll
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSrhjm.dll
C:\WINDOWS\system32\TDSSwpyh.dat
C:\WINDOWS\system32\TDSSxfum.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-27 14:30 . 2008-10-27 14:30 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-27 14:21 . 2008-10-27 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-27 14:21 . 2008-10-27 14:21 <DIR> d-------- C:\HJT
2008-10-27 13:12 . 2008-10-29 00:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 13:12 . 2008-09-02 00:24 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 13:12 . 2008-09-02 00:24 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 12:24 . 2003-03-18 17:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-21 12:23 . 2008-10-21 12:23 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-21 09:59 . 2008-10-21 09:59 <DIR> d-------- C:\Program Files\uTorrent
2008-10-21 09:59 . 2008-10-22 07:53 <DIR> d-------- C:\Documents and Settings\Stephen Chambless\Application Data\uTorrent
2008-10-20 21:59 . 2008-10-21 12:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-10-20 18:58 . 2008-10-20 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-20 17:47 . 2008-10-20 17:47 17,923 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\azucy.sys
2008-10-20 17:47 . 2008-10-20 17:47 17,289 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\lanum.bat
2008-10-20 17:47 . 2008-10-20 17:47 17,033 --a------ C:\WINDOWS\vyhisopag.vbs
2008-10-20 17:47 . 2008-10-20 17:47 15,255 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\ocapyl.bat
2008-10-20 17:47 . 2008-10-20 17:47 13,694 --a------ C:\WINDOWS\odehojevu.inf
2008-10-20 17:47 . 2008-10-20 17:47 13,176 --a------ C:\WINDOWS\system32\zuloso.lib
2008-10-20 17:47 . 2008-10-20 17:47 12,924 --a------ C:\Program Files\Common Files\ofuweko.vbs
2008-10-20 17:47 . 2008-10-20 17:47 12,287 --a------ C:\WINDOWS\system32\avehyv.com
2008-10-20 17:47 . 2008-10-20 17:47 11,897 --a------ C:\Documents and Settings\Stephen Chambless\Application Data\iditi.sys
2008-10-20 17:47 . 2008-10-20 17:47 11,466 --a------ C:\WINDOWS\system32\lanopuz.dat
2008-10-20 17:47 . 2008-10-20 17:47 11,256 --a------ C:\WINDOWS\uxyzafimo._sy
2008-10-20 17:47 . 2008-10-20 17:47 11,061 --a------ C:\Program Files\Common Files\ybimuhyne.bin
2008-10-20 17:47 . 2008-10-20 17:47 10,278 --a------ C:\Documents and Settings\All Users\Application Data\vubuhib.bin
2008-09-28 14:09 . 2008-09-28 14:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-04 17:31 . 2008-09-04 17:31 0 --a------ C:\WINDOWS\system32\B.tmp
2008-09-04 16:58 . 2008-09-04 16:58 <DIR> d-------- C:\Documents and Settings\Stephen Chambless\Application Data\Malwarebytes
2008-09-04 16:58 . 2008-09-04 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 03:00 --------- d-----w C:\Program Files\Full Tilt Poker
2008-10-20 21:47 14,034 ----a-w C:\Program Files\Common Files\gorazu.lib
2008-10-05 01:27 --------- d-----w C:\Documents and Settings\Stephen Chambless\Application Data\Move Networks
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 05:06 --------- d-----w C:\Documents and Settings\Stephen Chambless\Application Data\Apple Computer
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE "= "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI "= "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-05 184320]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 126976]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-10-28 C:\WINDOWS\agrsmmsg.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-02 38528]
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Stephen Chambless\Application Data\Mozilla\Firefox\Profiles\nay39jzu.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 00:55:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-30 1:01:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-30 05:01:33
ComboFix2.txt 2008-10-30 03:49:27

Pre-Run: 67,621,707,776 bytes free
Post-Run: 67,568,807,936 bytes free

151 --- E O F --- 2008-10-24 07:00:33

 

Hi
Ok thanks, that helped.

Please do the following.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time
  
  • C:\Program Files\Common Files\gorazu.lib
• Click on the submit button
  
• Please post the results in your next reply.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Collect:: 
C:\Documents and Settings\Stephen Chambless\Application Data\azucy.sys
C:\Documents and Settings\Stephen Chambless\Application Data\lanum.bat
C:\WINDOWS\vyhisopag.vbs
C:\Documents and Settings\Stephen Chambless\Application Data\ocapyl.bat
C:\WINDOWS\odehojevu.inf
C:\WINDOWS\system32\zuloso.lib
C:\Program Files\Common Files\ofuweko.vbs
C:\WINDOWS\system32\avehyv.com
C:\Documents and Settings\Stephen Chambless\Application Data\iditi.sys
C:\WINDOWS\system32\lanopuz.dat
C:\WINDOWS\uxyzafimo._sy
C:\Program Files\Common Files\ybimuhyne.bin
C:\Documents and Settings\All Users\Application Data\vubuhib.bin 

Please post the Jotti results and the Combofix log.

Thanks
Geri

 

FWIW, I can get on bleepingcomputer.com now

Jotti's results:

Service load:
0% 100%
File: gorazu.lib
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 719640047d11cc35c393ac7990c37e33
Packers detected:
-
Scanner results
Scan taken on 31 Oct 2008 16:10:45 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Combofix log:

ComboFix 08-10-30.13 - Stephen Chambless 2008-10-31 12:02:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT -4:00]
Running from: C:\Documents and Settings\Stephen Chambless\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stephen Chambless\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\vubuhib.bin
C:\Documents and Settings\Stephen Chambless\Application Data\azucy.sys
C:\Documents and Settings\Stephen Chambless\Application Data\iditi.sys
C:\Documents and Settings\Stephen Chambless\Application Data\lanum.bat
C:\Documents and Settings\Stephen Chambless\Application Data\ocapyl.bat
C:\Program Files\Common Files\ofuweko.vbs
C:\Program Files\Common Files\ybimuhyne.bin
C:\WINDOWS\odehojevu.inf
C:\WINDOWS\system32\avehyv.com
C:\WINDOWS\system32\lanopuz.dat
C:\WINDOWS\system32\zuloso.lib
C:\WINDOWS\uxyzafimo._sy
C:\WINDOWS\vyhisopag.vbs

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-31 )))))))))))))))))))))))))))))))
.

2008-10-27 14:30 . 2008-10-27 14:30 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-27 14:21 . 2008-10-27 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-27 14:21 . 2008-10-27 14:21 <DIR> d-------- C:\HJT
2008-10-27 13:12 . 2008-10-29 00:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 13:12 . 2008-09-02 00:24 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 13:12 . 2008-09-02 00:24 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 12:24 . 2003-03-18 17:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-21 12:23 . 2008-10-21 12:23 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-21 09:59 . 2008-10-21 09:59 <DIR> d-------- C:\Program Files\uTorrent
2008-10-21 09:59 . 2008-10-22 07:53 <DIR> d-------- C:\Documents and Settings\Stephen Chambless\Application Data\uTorrent
2008-10-20 21:59 . 2008-10-21 12:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-10-20 18:58 . 2008-10-20 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-28 14:09 . 2008-09-28 14:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-04 17:31 . 2008-09-04 17:31 0 --a------ C:\WINDOWS\system32\B.tmp
2008-09-04 16:58 . 2008-09-04 16:58 <DIR> d-------- C:\Documents and Settings\Stephen Chambless\Application Data\Malwarebytes
2008-09-04 16:58 . 2008-09-04 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 03:00 --------- d-----w C:\Program Files\Full Tilt Poker
2008-10-20 21:47 14,034 ----a-w C:\Program Files\Common Files\gorazu.lib
2008-10-05 01:27 --------- d-----w C:\Documents and Settings\Stephen Chambless\Application Data\Move Networks
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 05:06 --------- d-----w C:\Documents and Settings\Stephen Chambless\Application Data\Apple Computer
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE "= "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI "= "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-05 184320]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 126976]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-10-28 C:\WINDOWS\agrsmmsg.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-02 38528]
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 12:05:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-31 12:07:10
ComboFix-quarantined-files.txt 2008-10-31 16:07:00
ComboFix2.txt 2008-10-30 05:01:45
ComboFix3.txt 2008-10-30 03:49:27

Pre-Run: 67,578,593,280 bytes free
Post-Run: 67,567,562,752 bytes free

115 --- E O F --- 2008-10-24 07:00:33

 

Hi
OK great,
Any other problems that you know of? Your Anti Virus program updating OK?

Let me know.

 

uhh actually no. I really appreciate the help, you made my life a heck of a lot easier. Well I do have one question. What virus software would you recommend. Mcaffee would be great if the mcshield.exe didn't take upwards of 50-80,000 K when it runs. If I got a new software to replace that one, which would suggest?

 

Hi

If you are going to buy one I recommend CA's eTrust. I use it and it was recommended to me by noahdfear years ago.
http://www.casecuritystore.com/ca_anti-virus.php

If you are going with a free one I recommend Avast.

Now we need to get a on line scan. Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Please do an online scan with Kaspersky WebScanner

It's best to disable realtime protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.


Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks