Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

search result window; redirect IE to Yahoo; svhost.exe 100%

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 27th, 2008, 10:22 am

Thank you - i'm completing my tasks now.
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm
Advertisement
Register to Remove

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 27th, 2008, 10:32 am

Here is my combofix log. Will do hijack next
ComboFix 08-05-26.2 - Shelley Simon 2008-05-27 10:25:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.170 [GMT -4:00]
Running from: C:\Documents and Settings\Shelley Simon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shelley Simon\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\Downloaded Program Files\rave
C:\windows\Downloaded Program Files\rave\avirexe.vdm
C:\windows\Downloaded Program Files\rave\avirscr.vdm
C:\windows\Downloaded Program Files\rave\base.vdm
C:\windows\Downloaded Program Files\rave\daily.vdm
C:\windows\Downloaded Program Files\rave\daily.vdt
C:\windows\Downloaded Program Files\rave\filters.vdm
C:\windows\Downloaded Program Files\rave\kernel.vdk
C:\windows\Downloaded Program Files\rave\keyring.vdk
C:\windows\Downloaded Program Files\rave\mapi_vdm.vdm
C:\windows\Downloaded Program Files\rave\modules.vdk
C:\windows\Downloaded Program Files\rave\rav8def.vdm
C:\windows\Downloaded Program Files\rave\rufs.vdm
C:\windows\Downloaded Program Files\rave\rufsplg.vdm
C:\windows\Downloaded Program Files\rave\unarch.vdm
C:\windows\Downloaded Program Files\rave\unmail.vdm
C:\windows\Downloaded Program Files\rave\unpack.vdm
C:\windows\Downloaded Program Files\setup.dll
C:\windows\file.bat
C:\windows\system32\navdq.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-25 08:10 . 2008-05-25 08:23 <DIR> d-------- C:\autoruns
2008-05-21 16:02 . 2008-05-21 16:19 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2008-05-21 16:01 . 2008-05-21 16:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 15:48 . 2008-05-23 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-18 15:46 . 2008-05-18 16:05 <DIR> d-------- C:\Program Files\Security Task Manager
2008-05-18 09:20 . 2008-05-18 09:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-18 08:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-05-18 08:54 . 2001-08-09 19:37 457,607 -----c--- C:\WINDOWS\SYSTEM32\dllcache\mdlib.wmv
2008-05-18 08:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-05-16 12:27 . 2008-05-16 12:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 12:06 . 2008-05-16 12:22 <DIR> d-------- C:\Documents and Settings\Shelley Simon\.housecall6.6
2008-05-10 15:31 . 2008-05-11 19:45 <DIR> d-------- C:\Program Files\Google
2008-05-06 15:36 . 2008-05-06 15:37 <DIR> d-------- C:\Documents and Settings\Shelley Simon\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-27 11:28 --------- d-----w C:\Program Files\ewido anti-malware
2008-05-23 11:54 --------- d-----w C:\Documents and Settings\Shelley Simon\Application Data\AVG7
2008-05-22 22:21 --------- d-----w C:\Program Files\RegCure
2008-05-22 10:38 --------- d-----w C:\Program Files\CCleaner
2008-05-18 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-18 13:23 77,824 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-05-18 13:23 731,136 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-05-18 13:23 49,152 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-05-18 13:23 420,432 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-05-18 13:23 155,648 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-05-18 13:23 126,976 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-05-18 13:23 122,880 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-05-18 13:23 106,496 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-05-16 23:27 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-05-16 15:55 --------- d-----w C:\Program Files\Java
2008-05-16 15:54 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 09:42 985,088 ----a-w C:\windows\SYSTEM32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\windows\SYSTEM32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\windows\SYSTEM32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\windows\SYSTEM32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\windows\SYSTEM32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\windows\SYSTEM32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\windows\SYSTEM32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\windows\system32\drivers\termdd.sys
2008-04-14 00:13 299,520 ----a-w C:\windows\SYSTEM32\drmclien.dll
2008-04-14 00:13 21,896 ----a-w C:\windows\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\windows\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\windows\SYSTEM32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\windows\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\windows\SYSTEM32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\windows\SYSTEM32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\windows\SYSTEM32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\windows\SYSTEM32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\windows\SYSTEM32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\windows\SYSTEM32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\windows\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\windows\SYSTEM32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\windows\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\windows\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\windows\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\windows\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\windows\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\windows\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\windows\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\windows\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\windows\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\windows\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\windows\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\windows\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\windows\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\windows\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\windows\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\windows\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\windows\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\windows\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\windows\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\windows\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\windows\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\windows\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\windows\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\windows\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\windows\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\windows\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\windows\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\windows\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\windows\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\windows\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\windows\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\windows\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\windows\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\windows\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ----a-w C:\windows\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\windows\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\windows\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\windows\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\windows\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\windows\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\windows\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\windows\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\windows\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\windows\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\windows\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\windows\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\windows\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\windows\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\windows\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\windows\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\windows\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\windows\SYSTEM32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\windows\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ----a-w C:\windows\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ----a-w C:\windows\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\windows\system32\drivers\volsnap.sys
2008-04-13 18:39 7,552 ----a-w C:\windows\system32\drivers\mskssrv.sys
2004-09-16 05:53 56,832 --sha-w C:\windows\qsacz.dll
2004-09-08 15:48 11,591 --sha-w C:\windows\vrdgb.dat
2004-08-20 02:15 56,832 --sha-w C:\windows\SYSTEM32\iupds.dll
2004-09-16 05:45 11,591 --sha-w C:\windows\SYSTEM32\jxuhu.dat
2004-09-08 13:33 3,063 --sha-w C:\windows\SYSTEM32\ldbox.dat
2004-10-02 22:12 0 -csha-w C:\windows\SYSTEM32\zeupz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2004-12-07 17:50 196608]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2005-05-15 10:06 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe" [2007-12-21 16:30 698864]
"S3TRAY2"="S3tray2.exe" [2001-10-04 15:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 19:34 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 18:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 13:04 52736]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 14:32 196608]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 20:36 90112]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 09:39 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 10:04 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 15:22:52 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CARD Monitor.lnk - C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe [2002-01-13 11:02:17 32768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\htproc]
htproc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssldr]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_04\\jre\\bin\\java.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1850:UDP"= 1850:UDP:Windows Media Format SDK (iexplore.exe)
"1851:UDP"= 1851:UDP:Windows Media Format SDK (iexplore.exe)

R0 SBHR;SBHR;C:\windows\system32\drivers\sbhr.sys [2008-02-08 09:46]
R3 SBAPIFS;SBAPIFS;C:\windows\system32\drivers\sbapifs.sys []
S1 i386p;i386p;C:\windows\system32\drivers\i386p.sys []
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\windows\system32\DRIVERS\CSVirtA.sys [2008-03-04 16:57]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 OracleAgent80;OracleAgent80;C:\orant\agentbin\DBSNMP.EXE [1998-06-12 09:52]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [1998-06-10 07:43]
S3 OracleCMAdminService80;OracleCMAdminService80;C:\orant\BIN\CMADM80.EXE [1998-06-10 07:47]
S3 OracleCManService80;OracleCManService80;C:\orant\BIN\CMGW80.EXE [1998-06-10 07:47]
S3 OracleDataGatherer;OracleDataGatherer;C:\orant\bin\vppdc.exe [1998-06-26 08:29]
S3 OracleExtprocAgent;OracleExtprocAgent;C:\orant\BIN\EXTPROCT.EXE extproc []
S3 OracleNamesService80;OracleNamesService80;C:\orant\BIN\NAMES80.EXE [1998-06-10 07:43]
S3 OracleServiceORC0;OracleServiceORC0;c:\orant\bin\oracle80.exe ORC0 []
S3 OracleServiceORCL;OracleServiceORCL;c:\orant\bin\oracle80.exe ORCL []
S3 OracleStartORC0;OracleStartORC0;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleStartORCL;OracleStartORCL;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleTNSListener80;OracleTNSListener80;C:\orant\BIN\TNSLSNR80.EXE [1998-06-10 07:43]
S3 PCDRDRV;Pcdr Helper Driver;C:\windows\system32\drivers\PCDRDRV.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 10:51:41 C:\windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-15 09:53:22 C:\windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 10:27:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\windows\Prairie Wind.bmp:tfppr 56832 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-05-27 10:29:38
ComboFix-quarantined-files.txt 2008-05-27 14:29:31

Pre-Run: 93,124,493,312 bytes free
Post-Run: 93,733,396,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\windows
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\windows="microsoft windows xp home edition" /fastdetect /noexecute=alwayoff
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

260 --- E O F --- 2008-05-18 23:55:48
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 27th, 2008, 10:34 am

Here is new hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:41 AM, on 5/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\windows\system32\svchost.exe
C:\windows\system32\notepad.exe
C:\windows\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.ccs.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ccs.com;192.64.*;204.124.249.*;*.wbds.mcilink.com;reports.ccity.com;ccity.com;pac.ccity.com;myaccounts.ccity.com;*.circuitcity.net;166.86.*;172.*;10.*;wbds.mcilink.com;*.ccity.com;*.asteaqa.net;*.asteaprod.net;ccsra*;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;<local
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=eddb2dc7-402b-4405-9893-80cd7ba8641c
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ccsra1.circuitcity.com/CACHE/st ... stcweb.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2052583281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D94B2F87-CE31-11D5-9F7A-0090F50400FE} (NP5Sample.docBookNP5) - file://D:\content\bwnp5s.CAB
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F4BDA33C-7C59-11D5-9F7A-0090F50400FE} (Project1.checkfiles) - file://D:\checkfiles.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7E3BB7B-9B9F-11D5-9F7A-0090F50400FE} (PlayIt7Student.PlayIt7d) - file://D:\np5intro\content\PlayIt7d.CAB
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: ssldr - C:\windows\
O22 - SharedTaskScheduler: Security Update - {A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: OracleAgent80 - oracle - C:\orant\agentbin\DBSNMP.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleCMAdminService80 - Unknown owner - C:\orant\BIN\CMADM80.EXE
O23 - Service: OracleCManService80 - Unknown owner - C:\orant\BIN\CMGW80.EXE
O23 - Service: OracleDataGatherer - Unknown owner - C:\orant\bin\vppdc.exe
O23 - Service: OracleExtprocAgent - Unknown owner - C:\orant\BIN\EXTPROCT.EXE
O23 - Service: OracleNamesService80 - Unknown owner - C:\orant\BIN\NAMES80.EXE
O23 - Service: OracleServiceORC0 - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleStartORC0 - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleStartORCL - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleTNSListener80 - Unknown owner - C:\orant\BIN\TNSLSNR80.EXE
O23 - Service: OracleWebAssistant - Oracle Corporation - C:\orant\bin\OWASTsvr.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 10140 bytes
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 27th, 2008, 10:36 am

The previous combofix was a log file opened in notepad - here is the c:\combofix.txt -probably the same but wanted to make sure
ComboFix 08-05-26.2 - Shelley Simon 2008-05-27 10:25:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.170 [GMT -4:00]
Running from: C:\Documents and Settings\Shelley Simon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shelley Simon\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\Downloaded Program Files\rave
C:\windows\Downloaded Program Files\rave\avirexe.vdm
C:\windows\Downloaded Program Files\rave\avirscr.vdm
C:\windows\Downloaded Program Files\rave\base.vdm
C:\windows\Downloaded Program Files\rave\daily.vdm
C:\windows\Downloaded Program Files\rave\daily.vdt
C:\windows\Downloaded Program Files\rave\filters.vdm
C:\windows\Downloaded Program Files\rave\kernel.vdk
C:\windows\Downloaded Program Files\rave\keyring.vdk
C:\windows\Downloaded Program Files\rave\mapi_vdm.vdm
C:\windows\Downloaded Program Files\rave\modules.vdk
C:\windows\Downloaded Program Files\rave\rav8def.vdm
C:\windows\Downloaded Program Files\rave\rufs.vdm
C:\windows\Downloaded Program Files\rave\rufsplg.vdm
C:\windows\Downloaded Program Files\rave\unarch.vdm
C:\windows\Downloaded Program Files\rave\unmail.vdm
C:\windows\Downloaded Program Files\rave\unpack.vdm
C:\windows\Downloaded Program Files\setup.dll
C:\windows\file.bat
C:\windows\system32\navdq.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-25 08:10 . 2008-05-25 08:23 <DIR> d-------- C:\autoruns
2008-05-21 16:02 . 2008-05-21 16:19 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2008-05-21 16:01 . 2008-05-21 16:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 15:48 . 2008-05-23 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-18 15:46 . 2008-05-18 16:05 <DIR> d-------- C:\Program Files\Security Task Manager
2008-05-18 09:20 . 2008-05-18 09:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-18 08:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-05-18 08:54 . 2001-08-09 19:37 457,607 -----c--- C:\WINDOWS\SYSTEM32\dllcache\mdlib.wmv
2008-05-18 08:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-05-16 12:27 . 2008-05-16 12:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 12:06 . 2008-05-16 12:22 <DIR> d-------- C:\Documents and Settings\Shelley Simon\.housecall6.6
2008-05-10 15:31 . 2008-05-11 19:45 <DIR> d-------- C:\Program Files\Google
2008-05-06 15:36 . 2008-05-06 15:37 <DIR> d-------- C:\Documents and Settings\Shelley Simon\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-27 11:28 --------- d-----w C:\Program Files\ewido anti-malware
2008-05-23 11:54 --------- d-----w C:\Documents and Settings\Shelley Simon\Application Data\AVG7
2008-05-22 22:21 --------- d-----w C:\Program Files\RegCure
2008-05-22 10:38 --------- d-----w C:\Program Files\CCleaner
2008-05-18 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-18 13:23 77,824 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-05-18 13:23 731,136 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-05-18 13:23 49,152 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-05-18 13:23 420,432 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-05-18 13:23 155,648 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-05-18 13:23 126,976 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-05-18 13:23 122,880 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-05-18 13:23 106,496 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-05-16 23:27 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-05-16 15:55 --------- d-----w C:\Program Files\Java
2008-05-16 15:54 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 09:42 985,088 ----a-w C:\windows\SYSTEM32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\windows\SYSTEM32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\windows\SYSTEM32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\windows\SYSTEM32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\windows\SYSTEM32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\windows\SYSTEM32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\windows\SYSTEM32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\windows\system32\drivers\termdd.sys
2008-04-14 00:13 299,520 ----a-w C:\windows\SYSTEM32\drmclien.dll
2008-04-14 00:13 21,896 ----a-w C:\windows\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\windows\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\windows\SYSTEM32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\windows\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\windows\SYSTEM32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\windows\SYSTEM32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\windows\SYSTEM32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\windows\SYSTEM32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\windows\SYSTEM32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\windows\SYSTEM32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\windows\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\windows\SYSTEM32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\windows\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\windows\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\windows\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\windows\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\windows\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\windows\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\windows\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\windows\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\windows\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\windows\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\windows\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\windows\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\windows\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\windows\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\windows\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\windows\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\windows\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\windows\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\windows\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\windows\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\windows\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\windows\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\windows\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\windows\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\windows\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\windows\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\windows\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\windows\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\windows\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\windows\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\windows\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\windows\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\windows\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\windows\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ----a-w C:\windows\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\windows\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\windows\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\windows\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\windows\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\windows\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\windows\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\windows\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\windows\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\windows\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\windows\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\windows\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\windows\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\windows\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\windows\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\windows\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\windows\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\windows\SYSTEM32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\windows\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ----a-w C:\windows\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ----a-w C:\windows\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\windows\system32\drivers\volsnap.sys
2008-04-13 18:39 7,552 ----a-w C:\windows\system32\drivers\mskssrv.sys
2004-09-16 05:53 56,832 --sha-w C:\windows\qsacz.dll
2004-09-08 15:48 11,591 --sha-w C:\windows\vrdgb.dat
2004-08-20 02:15 56,832 --sha-w C:\windows\SYSTEM32\iupds.dll
2004-09-16 05:45 11,591 --sha-w C:\windows\SYSTEM32\jxuhu.dat
2004-09-08 13:33 3,063 --sha-w C:\windows\SYSTEM32\ldbox.dat
2004-10-02 22:12 0 -csha-w C:\windows\SYSTEM32\zeupz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2004-12-07 17:50 196608]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2005-05-15 10:06 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe" [2007-12-21 16:30 698864]
"S3TRAY2"="S3tray2.exe" [2001-10-04 15:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 19:34 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 18:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 13:04 52736]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 14:32 196608]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 20:36 90112]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 09:39 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 10:04 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 15:22:52 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CARD Monitor.lnk - C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe [2002-01-13 11:02:17 32768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\htproc]
htproc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssldr]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_04\\jre\\bin\\java.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1850:UDP"= 1850:UDP:Windows Media Format SDK (iexplore.exe)
"1851:UDP"= 1851:UDP:Windows Media Format SDK (iexplore.exe)

R0 SBHR;SBHR;C:\windows\system32\drivers\sbhr.sys [2008-02-08 09:46]
R3 SBAPIFS;SBAPIFS;C:\windows\system32\drivers\sbapifs.sys []
S1 i386p;i386p;C:\windows\system32\drivers\i386p.sys []
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\windows\system32\DRIVERS\CSVirtA.sys [2008-03-04 16:57]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 OracleAgent80;OracleAgent80;C:\orant\agentbin\DBSNMP.EXE [1998-06-12 09:52]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [1998-06-10 07:43]
S3 OracleCMAdminService80;OracleCMAdminService80;C:\orant\BIN\CMADM80.EXE [1998-06-10 07:47]
S3 OracleCManService80;OracleCManService80;C:\orant\BIN\CMGW80.EXE [1998-06-10 07:47]
S3 OracleDataGatherer;OracleDataGatherer;C:\orant\bin\vppdc.exe [1998-06-26 08:29]
S3 OracleExtprocAgent;OracleExtprocAgent;C:\orant\BIN\EXTPROCT.EXE extproc []
S3 OracleNamesService80;OracleNamesService80;C:\orant\BIN\NAMES80.EXE [1998-06-10 07:43]
S3 OracleServiceORC0;OracleServiceORC0;c:\orant\bin\oracle80.exe ORC0 []
S3 OracleServiceORCL;OracleServiceORCL;c:\orant\bin\oracle80.exe ORCL []
S3 OracleStartORC0;OracleStartORC0;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleStartORCL;OracleStartORCL;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleTNSListener80;OracleTNSListener80;C:\orant\BIN\TNSLSNR80.EXE [1998-06-10 07:43]
S3 PCDRDRV;Pcdr Helper Driver;C:\windows\system32\drivers\PCDRDRV.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 10:51:41 C:\windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-15 09:53:22 C:\windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 10:27:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\windows\Prairie Wind.bmp:tfppr 56832 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-05-27 10:29:38
ComboFix-quarantined-files.txt 2008-05-27 14:29:31

Pre-Run: 93,124,493,312 bytes free
Post-Run: 93,733,396,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\windows
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\windows="microsoft windows xp home edition" /fastdetect /noexecute=alwayoff
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

260 --- E O F --- 2008-05-18 23:55:48
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby Carolyn » May 28th, 2008, 1:57 pm

Hello,

Step 1:
Upload files for scanning
I'd like you to check a file for malware.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe

  • Copy/Paste the file on the list (including the path) into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.


Step 2:
Please download OTMoveIt2.exe by OldTimer and save it to your desktop.

Double click on OTMoveIt2.exe to run it.

Copy and paste the following in the Code box into OTMoveIt (1).

Note: Do not type it out to minimize the risk of typo error.

Code: Select all
C:\htproc32.dll /s


Click on MoveIt! (2).

When done, click on Exit (3).

Note: If a file or folder can't be moved immediately, you may asked to restart your computer. Please choose Yes.

Please refer to this picture for using OTMoveIt.

Image

The log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Please post this log in your next reply.


Step 3:

Please download Rootkit Revealer
http://www.microsoft.com/technet/sysint ... ealer.mspx
(link is at the very bottom of the page)

Unzip it to your desktop.

Open the rootkitrevealer folder and double-click rootkitrevealer.exe

Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running - leave the PC idle while scanning)

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.


Step 4:
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\windows\qsacz.dll
C:\windows\vrdgb.dat
C:\windows\SYSTEM32\iupds.dll
C:\windows\SYSTEM32\jxuhu.dat
C:\windows\SYSTEM32\ldbox.dat
C:\windows\SYSTEM32\zeupz.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\htproc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssldr]

Driver::
C:\windows\system32\drivers\i386p.sys

ADS::
C:\windows\Prairie Wind.bmp


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please post the following:
  • The VireusTotal/Jotti results
  • The OTMoveIt2 log
  • The Rootkit Revealer log
  • The ComboFix log
  • A fresh HijackThis log
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 28th, 2008, 2:15 pm

VirusTotal

Antivirus Version Last Update Result
AhnLab-V3 2008.5.29.0 2008.05.28 -
AntiVir 7.8.0.19 2008.05.28 -
Authentium 5.1.0.4 2008.05.28 -
Avast 4.8.1195.0 2008.05.28 -
AVG 7.5.0.516 2008.05.28 -
BitDefender 7.2 2008.05.28 -
CAT-QuickHeal 9.50 2008.05.28 -
ClamAV 0.92.1 2008.05.28 -
DrWeb 4.44.0.09170 2008.05.28 -
eSafe 7.0.15.0 2008.05.28 -
eTrust-Vet 31.4.5829 2008.05.28 -
Ewido 4.0 2008.05.28 -
F-Prot 4.4.4.56 2008.05.27 -
F-Secure 6.70.13260.0 2008.05.28 -
Fortinet 3.14.0.0 2008.05.28 -
GData 2.0.7306.1023 2008.05.28 -
Ikarus T3.1.1.26.0 2008.05.28 -
Kaspersky 7.0.0.125 2008.05.28 -
McAfee 5305 2008.05.28 -
Microsoft 1.3520 2008.05.28 -
NOD32v2 3140 2008.05.28 -
Norman 5.80.02 2008.05.28 -
Panda 9.0.0.4 2008.05.28 -
Prevx1 V2 2008.05.28 -
Rising 20.46.22.00 2008.05.28 -
Sophos 4.29.0 2008.05.28 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.28 -
TheHacker 6.2.92.321 2008.05.27 -
VBA32 3.12.6.6 2008.05.28 -
VirusBuster 4.3.26:9 2008.05.28 -
Webwasher-Gateway 6.6.2 2008.05.28 -
Additional information
File size: 36864 bytes
MD5...: cba42f5e4fefdc19295def916586bbda
SHA1..: e6aecab8323d9107e00f3876c06dad22d046177d
SHA256: c9d4bb9ff4f6b27c935f2b933c57b37d4085d5b95c422cf2a4e8763de40e0ae5
SHA512: f6c8038fec43a73a2b80b96de0f039a884e940090de4e546f284c8cd002154ac
9c997549436fbd7e0ada9b030afff4d0b8b069460032bcd9dae577242b692a12
PEiD..: Armadillo v1.71
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4025ba
timedatestamp.....: 0x3ba63f7a (Mon Sep 17 18:22:50 2001)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5516 0x6000 6.19 f94cf1c2d445dfb51ed77a3a022e24e9
.rdata 0x7000 0x9f4 0x1000 3.85 e24fddbd3f5f97288a625076e6420df0
.data 0x8000 0x20ec 0x1000 2.63 b16bcc6a53a472bf80f19e0bd44bf6ba

( 2 imports )
> KERNEL32.dll: SetLastError, GetTempPathA, GetShortPathNameA, CreateFileA, WriteFile, GetLastError, GetCurrentThread, SetPriorityClass, GetCurrentProcess, CloseHandle, CreateProcessA, ResumeThread, DeleteFileA, SetThreadPriority, GetModuleFileNameA, GetACP, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, GetCPInfo, CopyFileA, GetOEMCP, HeapFree, HeapAlloc, TerminateProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, SetFilePointer, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, SetStdHandle, FlushFileBuffers
> ADVAPI32.dll: RegCreateKeyExA, RegQueryValueExA, RegSetValueExA, RegFlushKey, RegCloseKey, RegDeleteValueA

( 0 exports )
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 28th, 2008, 2:24 pm

OTMoveit log

< C:\htproc32.dll /s >
File/Folder C:\htproc32.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05282008_142147
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 28th, 2008, 2:56 pm

Rootkit revealer log
HKU\.DEFAULT\Control Panel\International 5/27/2008 10:29 AM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 5/27/2008 10:29 AM 0 bytes Security mismatch.
HKU\S-1-5-21-2805738209-2798751602-3588590466-1006\Control Panel\International 5/27/2008 10:29 AM 0 bytes Security mismatch.
HKU\S-1-5-21-2805738209-2798751602-3588590466-1006\Control Panel\International\Geo 5/27/2008 10:29 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 5/27/2008 10:29 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 5/27/2008 10:29 AM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 11/6/2001 5:50 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/6/2001 5:50 PM 0 bytes Key name contains embedded nulls (*)
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 28th, 2008, 3:07 pm

Combo Fix log
ComboFix 08-05-26.2 - Shelley Simon 2008-05-28 15:00:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.175 [GMT -4:00]
Running from: C:\Documents and Settings\Shelley Simon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shelley Simon\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\windows\qsacz.dll
C:\windows\SYSTEM32\iupds.dll
C:\windows\SYSTEM32\jxuhu.dat
C:\windows\SYSTEM32\ldbox.dat
C:\windows\SYSTEM32\zeupz.dll
C:\windows\vrdgb.dat
.
ADS - Prairie Wind.bmp: deleted 56832 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\qsacz.dll
C:\windows\SYSTEM32\iupds.dll
C:\windows\SYSTEM32\jxuhu.dat
C:\windows\SYSTEM32\ldbox.dat
C:\windows\SYSTEM32\zeupz.dll
C:\windows\vrdgb.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 14:21 . 2008-05-28 14:21 <DIR> d-------- C:\_OTMoveIt
2008-05-25 08:10 . 2008-05-25 08:23 <DIR> d-------- C:\autoruns
2008-05-21 16:02 . 2008-05-21 16:19 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2008-05-21 16:01 . 2008-05-21 16:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 15:48 . 2008-05-23 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-18 15:46 . 2008-05-18 16:05 <DIR> d-------- C:\Program Files\Security Task Manager
2008-05-18 09:20 . 2008-05-18 09:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-18 08:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-05-18 08:54 . 2001-08-09 19:37 457,607 -----c--- C:\WINDOWS\SYSTEM32\dllcache\mdlib.wmv
2008-05-18 08:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-05-16 12:27 . 2008-05-16 12:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 12:06 . 2008-05-16 12:22 <DIR> d-------- C:\Documents and Settings\Shelley Simon\.housecall6.6
2008-05-10 15:31 . 2008-05-11 19:45 <DIR> d-------- C:\Program Files\Google
2008-05-06 15:36 . 2008-05-06 15:37 <DIR> d-------- C:\Documents and Settings\Shelley Simon\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-27 11:28 --------- d-----w C:\Program Files\ewido anti-malware
2008-05-23 11:54 --------- d-----w C:\Documents and Settings\Shelley Simon\Application Data\AVG7
2008-05-22 22:21 --------- d-----w C:\Program Files\RegCure
2008-05-22 10:38 --------- d-----w C:\Program Files\CCleaner
2008-05-18 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-18 13:23 77,824 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-05-18 13:23 731,136 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-05-18 13:23 49,152 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-05-18 13:23 420,432 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-05-18 13:23 155,648 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-05-18 13:23 126,976 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-05-18 13:23 122,880 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-05-18 13:23 106,496 ----a-w C:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-05-16 23:27 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-05-16 15:55 --------- d-----w C:\Program Files\Java
2008-05-16 15:54 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 09:42 985,088 ----a-w C:\windows\SYSTEM32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\windows\SYSTEM32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\windows\SYSTEM32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\windows\SYSTEM32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\windows\SYSTEM32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\windows\SYSTEM32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\windows\SYSTEM32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\windows\system32\drivers\termdd.sys
2008-04-14 00:13 299,520 ----a-w C:\windows\SYSTEM32\drmclien.dll
2008-04-14 00:13 21,896 ----a-w C:\windows\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\windows\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\windows\SYSTEM32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\windows\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\windows\SYSTEM32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\windows\SYSTEM32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\windows\SYSTEM32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\windows\SYSTEM32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\windows\SYSTEM32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\windows\SYSTEM32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\windows\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\windows\SYSTEM32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\windows\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\windows\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\windows\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\windows\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\windows\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\windows\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\windows\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\windows\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\windows\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\windows\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\windows\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\windows\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\windows\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\windows\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\windows\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\windows\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\windows\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\windows\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\windows\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\windows\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\windows\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\windows\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\windows\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\windows\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\windows\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\windows\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\windows\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\windows\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\windows\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\windows\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\windows\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\windows\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\windows\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\windows\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ----a-w C:\windows\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\windows\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\windows\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\windows\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\windows\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\windows\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\windows\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\windows\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\windows\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\windows\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\windows\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\windows\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\windows\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\windows\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\windows\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\windows\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\windows\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\windows\SYSTEM32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\windows\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ----a-w C:\windows\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ----a-w C:\windows\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\windows\system32\drivers\volsnap.sys
2008-04-13 18:39 7,552 ----a-w C:\windows\system32\drivers\mskssrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2004-12-07 17:50 196608]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2005-05-15 10:06 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe" [2007-12-21 16:30 698864]
"S3TRAY2"="S3tray2.exe" [2001-10-04 15:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 19:34 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 18:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 13:04 52736]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 14:32 196608]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 20:36 90112]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 09:39 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 10:04 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 15:22:52 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CARD Monitor.lnk - C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe [2002-01-13 11:02:17 32768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_04\\jre\\bin\\java.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1850:UDP"= 1850:UDP:Windows Media Format SDK (iexplore.exe)
"1851:UDP"= 1851:UDP:Windows Media Format SDK (iexplore.exe)

R0 SBHR;SBHR;C:\windows\system32\drivers\sbhr.sys [2008-02-08 09:46]
R3 SBAPIFS;SBAPIFS;C:\windows\system32\drivers\sbapifs.sys []
S1 i386p;i386p;C:\windows\system32\drivers\i386p.sys []
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\windows\system32\DRIVERS\CSVirtA.sys [2008-03-04 16:57]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 OracleAgent80;OracleAgent80;C:\orant\agentbin\DBSNMP.EXE [1998-06-12 09:52]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [1998-06-10 07:43]
S3 OracleCMAdminService80;OracleCMAdminService80;C:\orant\BIN\CMADM80.EXE [1998-06-10 07:47]
S3 OracleCManService80;OracleCManService80;C:\orant\BIN\CMGW80.EXE [1998-06-10 07:47]
S3 OracleDataGatherer;OracleDataGatherer;C:\orant\bin\vppdc.exe [1998-06-26 08:29]
S3 OracleExtprocAgent;OracleExtprocAgent;C:\orant\BIN\EXTPROCT.EXE extproc []
S3 OracleNamesService80;OracleNamesService80;C:\orant\BIN\NAMES80.EXE [1998-06-10 07:43]
S3 OracleServiceORC0;OracleServiceORC0;c:\orant\bin\oracle80.exe ORC0 []
S3 OracleServiceORCL;OracleServiceORCL;c:\orant\bin\oracle80.exe ORCL []
S3 OracleStartORC0;OracleStartORC0;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleStartORCL;OracleStartORCL;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleTNSListener80;OracleTNSListener80;C:\orant\BIN\TNSLSNR80.EXE [1998-06-10 07:43]
S3 PCDRDRV;Pcdr Helper Driver;C:\windows\system32\drivers\PCDRDRV.sys []

*Newly Created Service* - RKREVEAL150
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 16:57:26 C:\windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-15 09:53:22 C:\windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 15:02:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 15:04:56
ComboFix-quarantined-files.txt 2008-05-28 19:04:21
ComboFix2.txt 2008-05-27 14:29:39

Pre-Run: 94,253,154,304 bytes free
Post-Run: 94,250,655,744 bytes free

239 --- E O F --- 2008-05-18 23:55:48
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 28th, 2008, 3:09 pm

New hijackthis log. - please let me know if I didnot run something correctly and I will redo.

Thanks for your help!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:12 PM, on 5/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\windows\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
C:\windows\system32\notepad.exe
C:\windows\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.ccs.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ccs.com;192.64.*;204.124.249.*;*.wbds.mcilink.com;reports.ccity.com;ccity.com;pac.ccity.com;myaccounts.ccity.com;*.circuitcity.net;166.86.*;172.*;10.*;wbds.mcilink.com;*.ccity.com;*.asteaqa.net;*.asteaprod.net;ccsra*;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;<local
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=eddb2dc7-402b-4405-9893-80cd7ba8641c
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ccsra1.circuitcity.com/CACHE/st ... stcweb.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2052583281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D94B2F87-CE31-11D5-9F7A-0090F50400FE} (NP5Sample.docBookNP5) - file://D:\content\bwnp5s.CAB
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F4BDA33C-7C59-11D5-9F7A-0090F50400FE} (Project1.checkfiles) - file://D:\checkfiles.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7E3BB7B-9B9F-11D5-9F7A-0090F50400FE} (PlayIt7Student.PlayIt7d) - file://D:\np5intro\content\PlayIt7d.CAB
O22 - SharedTaskScheduler: Security Update - {A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: OracleAgent80 - oracle - C:\orant\agentbin\DBSNMP.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleCMAdminService80 - Unknown owner - C:\orant\BIN\CMADM80.EXE
O23 - Service: OracleCManService80 - Unknown owner - C:\orant\BIN\CMGW80.EXE
O23 - Service: OracleDataGatherer - Unknown owner - C:\orant\bin\vppdc.exe
O23 - Service: OracleExtprocAgent - Unknown owner - C:\orant\BIN\EXTPROCT.EXE
O23 - Service: OracleNamesService80 - Unknown owner - C:\orant\BIN\NAMES80.EXE
O23 - Service: OracleServiceORC0 - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleStartORC0 - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleStartORCL - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleTNSListener80 - Unknown owner - C:\orant\BIN\TNSLSNR80.EXE
O23 - Service: OracleWebAssistant - Oracle Corporation - C:\orant\bin\OWASTsvr.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 9901 bytes
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 28th, 2008, 3:12 pm

the c:\windows\Priairie Wind.bmp is still on my system - should it be quoted??
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby Carolyn » May 28th, 2008, 3:56 pm

shelleysimon wrote:the c:\windows\Priairie Wind.bmp is still on my system - should it be quoted??


The file, c:\windows\Priairie Wind.bmp, is actually okay... there was something attached to the file that I wanted to delete, and it was successfully removed by ComboFix. We are making nice progress here and you are doing a great job. :)

It will take me a while to read through those logs. I'll post again as soon as I can. ;)
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 28th, 2008, 5:45 pm

I just ran my counterspy program and it found a trojan downloaer and bifrost|backdoor which it put in quarentine. I run Couterspy almost every day and it ususally just finds my cookie trackers. This is the first time it found more. It also found KaZaA|P2P program but ignored that one.
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby Carolyn » May 29th, 2008, 2:09 pm

Hello,

Your HijackThis log indicates that Internet Explorer is set to use a "Proxy Server" associated with ccs.com, which I think belongs to CircuitCity. Is there a reason that you use that Proxy Server?

Also, there are settings which override the Proxy Server when you access the following websites or IP addresses:

ccs.com and ccity.com (both associated with Circuit City)
204.124.249.*, which belongs to a company named NaBANCO
192.64.*, possibly local addresses for your network
and mcilink.com, which belongs to a company named MCI

Have those Proxy overrides been set by you or should they be removed?


We need to run another CFScript with ComboFix:

***Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\windows\system32\drivers\i386p.sys

Driver::
i386p


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Next Step,

Run CCleaner - which you already have installed on your computer
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!


Then please do the following:

Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply.


Please post the following:
  • The ComboFix log
  • The Kaspersky report
  • A fresh HijackThis log
  • Any information you can supply regarding the Proxy Server and Proxy Overides
  • A description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 29th, 2008, 2:44 pm

Here is the combofix log

ComboFix 08-05-26.2 - Shelley Simon 2008-05-29 14:32:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.231 [GMT -4:00]
Running from: C:\Documents and Settings\Shelley Simon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shelley Simon\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\windows\system32\drivers\i386p.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_I386P
-------\Service_i386p


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 14:21 . 2008-05-28 14:21 <DIR> d-------- C:\_OTMoveIt
2008-05-25 08:10 . 2008-05-25 08:23 <DIR> d-------- C:\autoruns
2008-05-21 16:02 . 2008-05-21 16:19 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2008-05-21 16:01 . 2008-05-21 16:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 15:48 . 2008-05-23 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-18 15:46 . 2008-05-18 16:05 <DIR> d-------- C:\Program Files\Security Task Manager
2008-05-18 09:20 . 2008-05-18 09:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-18 09:20 . 2008-05-18 09:20 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-18 08:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-05-18 08:54 . 2001-08-09 19:37 457,607 -----c--- C:\WINDOWS\SYSTEM32\dllcache\mdlib.wmv
2008-05-18 08:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-05-16 12:27 . 2008-05-16 12:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 12:06 . 2008-05-16 12:22 <DIR> d-------- C:\Documents and Settings\Shelley Simon\.housecall6.6
2008-05-10 15:31 . 2008-05-11 19:45 <DIR> d-------- C:\Program Files\Google
2008-05-06 15:36 . 2008-05-06 15:37 <DIR> d-------- C:\Documents and Settings\Shelley Simon\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-28 23:13 --------- d-----w C:\Documents and Settings\Shelley Simon\Application Data\AVG7
2008-05-27 11:28 --------- d-----w C:\Program Files\ewido anti-malware
2008-05-22 22:21 --------- d-----w C:\Program Files\RegCure
2008-05-22 10:38 --------- d-----w C:\Program Files\CCleaner
2008-05-18 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-16 23:27 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-05-16 15:55 --------- d-----w C:\Program Files\Java
2008-05-16 15:54 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 00:13 40,840 ----a-w C:\windows\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\windows\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\windows\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\windows\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\windows\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ------w C:\windows\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\windows\PCHEALTH\HELPCTR\Binaries\msinfo.dll
2008-04-14 00:11 3,775 ----a-w C:\windows\system32\drivers\adv11nt5.dll
2008-04-14 00:11 245,248 ----a-w C:\windows\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\windows\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\windows\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\windows\AppPatch\acgenral.dll
2008-04-13 19:28 175,744 ----a-w C:\windows\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\windows\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\windows\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\windows\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\windows\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\windows\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\windows\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\windows\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\windows\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\windows\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\windows\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\windows\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\windows\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\windows\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\windows\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\windows\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\windows\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\windows\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\windows\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\windows\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\windows\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\windows\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\windows\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\windows\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\windows\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\windows\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\windows\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\windows\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\windows\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\windows\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\windows\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\windows\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\windows\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\windows\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\windows\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ----a-w C:\windows\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ----a-w C:\windows\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ----a-w C:\windows\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\windows\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\windows\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\windows\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\windows\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\windows\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\windows\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\windows\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\windows\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\windows\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\windows\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\windows\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\windows\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\windows\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\windows\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\windows\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\windows\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\windows\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ----a-w C:\windows\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ----a-w C:\windows\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\windows\system32\drivers\volsnap.sys
2008-04-13 18:39 7,552 ----a-w C:\windows\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,504 ----a-w C:\windows\system32\drivers\mstee.sys
2008-04-13 18:39 5,376 ----a-w C:\windows\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\windows\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\windows\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ----a-w C:\windows\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ----a-w C:\windows\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\windows\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\windows\system32\drivers\mouclass.sys
2008-04-13 18:39 14,592 ----a-w C:\windows\system32\drivers\kbdhid.sys
2008-04-13 18:38 71,168 ----a-w C:\windows\system32\drivers\dxg.sys
2008-04-13 18:33 44,544 ----a-w C:\windows\system32\drivers\fips.sys
2008-04-13 18:32 66,048 ----a-w C:\windows\system32\drivers\udfs.sys
2008-04-13 18:32 30,848 ----a-w C:\windows\system32\drivers\npfs.sys
2008-04-13 18:32 196,224 ----a-w C:\windows\system32\drivers\rdpdr.sys
2008-04-13 18:32 19,072 ----a-w C:\windows\system32\drivers\msfs.sys
2008-04-13 18:32 180,608 ----a-w C:\windows\system32\drivers\mrxdav.sys
2008-04-13 18:32 129,792 ----a-w C:\windows\system32\drivers\fltmgr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2004-12-07 17:50 196608]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2005-05-15 10:06 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe" [2007-12-21 16:30 698864]
"S3TRAY2"="S3tray2.exe" [2001-10-04 15:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 19:34 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 18:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 13:04 52736]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 14:32 196608]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 20:36 90112]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 09:39 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 10:04 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 15:22:52 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CARD Monitor.lnk - C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe [2002-01-13 11:02:17 32768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_04\\jre\\bin\\java.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1850:UDP"= 1850:UDP:Windows Media Format SDK (iexplore.exe)
"1851:UDP"= 1851:UDP:Windows Media Format SDK (iexplore.exe)

R0 SBHR;SBHR;C:\windows\system32\drivers\sbhr.sys [2008-02-08 09:46]
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\windows\system32\DRIVERS\CSVirtA.sys [2008-03-04 16:57]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\windows\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 OracleAgent80;OracleAgent80;C:\orant\agentbin\DBSNMP.EXE [1998-06-12 09:52]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [1998-06-10 07:43]
S3 OracleCMAdminService80;OracleCMAdminService80;C:\orant\BIN\CMADM80.EXE [1998-06-10 07:47]
S3 OracleCManService80;OracleCManService80;C:\orant\BIN\CMGW80.EXE [1998-06-10 07:47]
S3 OracleDataGatherer;OracleDataGatherer;C:\orant\bin\vppdc.exe [1998-06-26 08:29]
S3 OracleExtprocAgent;OracleExtprocAgent;C:\orant\BIN\EXTPROCT.EXE extproc []
S3 OracleNamesService80;OracleNamesService80;C:\orant\BIN\NAMES80.EXE [1998-06-10 07:43]
S3 OracleServiceORC0;OracleServiceORC0;c:\orant\bin\oracle80.exe ORC0 []
S3 OracleServiceORCL;OracleServiceORCL;c:\orant\bin\oracle80.exe ORCL []
S3 OracleStartORC0;OracleStartORC0;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleStartORCL;OracleStartORCL;C:\orant\BIN\strtdb80.exe [1997-10-27 23:42]
S3 OracleTNSListener80;OracleTNSListener80;C:\orant\BIN\TNSLSNR80.EXE [1998-06-10 07:43]
S3 PCDRDRV;Pcdr Helper Driver;C:\windows\system32\drivers\PCDRDRV.sys []
S3 SBAPIFS;SBAPIFS;C:\windows\system32\drivers\sbapifs.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 18:37:26 C:\windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-15 09:53:22 C:\windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 14:37:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\SSL VPN Client\Agent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-29 14:42:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 18:42:31
ComboFix2.txt 2008-05-28 19:04:56
ComboFix3.txt 2008-05-27 14:29:39

Pre-Run: 94,467,489,792 bytes free
Post-Run: 94,385,557,504 bytes free

240 --- E O F --- 2008-05-18 23:55:48
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware