Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Annoying redirects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Annoying redirects

Unread postby bronkette » June 15th, 2009, 8:07 pm

first requested log:

ComboFix 09-06-14.02 - AndreaWatson 06/15/2009 19:21.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.602 [GMT -4:00]
Running from: c:\documents and settings\AndreaWatson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AndreaWatson\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-14 17:28 . 2009-06-14 17:28 -------- d-----w- c:\program files\Bluetack
2009-06-14 00:27 . 2009-06-14 00:27 -------- d-----w- c:\documents and settings\AndreaWatson\Local Settings\Application Data\AVG Security Toolbar
2009-06-13 20:10 . 2009-06-13 20:10 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-13 20:10 . 2009-06-13 20:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-13 20:04 . 2009-05-18 13:42 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-11 03:27 . 2009-06-11 03:27 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\WinPatrol
2009-06-11 03:27 . 2008-01-27 19:53 0 ----a-w- c:\documents and settings\AndreaWatson\Application Data\WinPatrol\Config.sys
2009-06-11 03:27 . 2008-01-27 19:53 0 ----a-w- c:\documents and settings\AndreaWatson\Application Data\WinPatrol\Autoexec.bat
2009-06-11 03:27 . 2009-06-11 03:27 -------- d-----w- c:\program files\BillP Studios
2009-06-10 21:10 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 21:10 . 2009-06-10 21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-10 21:10 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 22:49 . 2009-06-09 22:50 -------- dc----w- C:\rsit
2009-06-09 14:30 . 2009-06-11 14:40 -------- dc----w- C:\ToolBar SD
2009-06-09 13:57 . 2009-06-09 13:58 -------- d-----w- c:\documents and settings\Michael Watson\Application Data\AVGTOOLBAR
2009-06-08 00:28 . 2009-06-08 00:28 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Thunderbird
2009-06-08 00:28 . 2009-06-08 00:28 335 ----a-w- c:\windows\mozregistry.dat
2009-06-08 00:28 . 2009-06-08 00:28 -------- d-----w- c:\program files\Netscape
2009-06-08 00:27 . 2009-06-08 00:27 9728 ----a-w- c:\windows\system32\rnaph.dll
2009-06-03 22:26 . 2009-06-03 22:26 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Symantec
2009-06-03 22:25 . 2009-06-03 22:25 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-03 22:25 . 2009-06-03 22:25 104144 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-03 22:25 . 2009-06-03 22:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-03 22:24 . 2009-06-03 22:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-03 22:24 . 2009-06-03 22:25 -------- d-----w- c:\program files\Symantec
2009-05-29 00:58 . 2009-06-10 14:20 -------- dc----w- c:\documents and settings\All Users\Application Data\Uniblue
2009-05-29 00:43 . 2009-05-29 01:27 266072 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-29 00:41 . 2009-05-29 00:41 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-29 00:40 . 2009-05-29 00:40 -------- d-----w- c:\program files\Reference Assemblies
2009-05-29 00:38 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-29 00:38 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-29 00:38 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-05-29 00:38 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-05-29 00:38 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-29 00:38 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-29 00:38 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-05-29 00:38 . 2009-05-29 00:40 -------- dc----w- C:\89469f0340b713fc958d
2009-05-28 23:59 . 2009-05-28 23:59 -------- dc-h--r- C:\AHCache
2009-05-23 23:42 . 2009-05-23 23:42 -------- d-----w- c:\program files\ZEMNOTT
2009-05-23 20:36 . 2009-05-23 20:36 -------- d-----w- c:\program files\KingsIsle Entertainment
2009-05-18 18:36 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 22:46 . 2008-01-27 19:52 83874 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-14 17:44 . 2008-01-27 21:17 122656 ----a-w- c:\documents and settings\AndreaWatson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 20:07 . 2008-05-15 22:58 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 14:29 . 2008-01-27 22:05 -------- d-----w- c:\program files\Lavasoft
2009-06-10 14:25 . 2008-01-27 21:12 -------- d-----w- c:\program files\Java
2009-06-10 14:21 . 2009-05-13 22:37 -------- d-----w- c:\program files\Uniblue
2009-06-10 14:20 . 2009-05-11 03:17 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Uniblue
2009-06-09 22:32 . 2009-01-20 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-06-08 00:28 . 2008-11-02 15:09 644 -c--a-w- c:\windows\nsreg.dat
2009-06-06 00:39 . 2009-05-07 13:37 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\AVG8
2009-05-29 00:41 . 2009-05-03 00:42 -------- d-----w- c:\program files\MSBuild
2009-05-26 21:25 . 2009-03-23 01:41 -------- d-----w- c:\program files\Oberon Media
2009-05-23 23:42 . 2008-01-27 20:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 13:20 . 2009-05-04 00:35 117760 ----a-w- c:\documents and settings\AndreaWatson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-20 12:25 . 2008-05-15 22:57 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-16 11:51 . 2009-05-16 11:51 -------- d-----w- c:\program files\Trend Micro
2009-05-14 10:49 . 2009-05-14 10:49 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-05-14 10:26 . 2009-05-14 10:26 -------- dc----w- c:\documents and settings\All Users\Application Data\Babylon
2009-05-14 10:26 . 2009-05-14 10:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Babylon
2009-05-13 22:40 . 2009-05-13 22:39 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\System Tweaker
2009-05-12 10:32 . 2009-05-12 10:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-05-07 23:39 . 2009-02-27 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 15:29 . 2009-05-07 15:14 202 -c--a-w- C:\43214354.bat
2009-05-07 13:50 . 2009-05-07 13:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-05-07 13:47 . 2009-05-07 13:47 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-05-07 13:47 . 2009-05-07 13:47 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-05-04 00:34 . 2009-05-04 00:34 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-04 00:34 . 2009-05-04 00:34 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\SUPERAntiSpyware.com
2009-05-04 00:31 . 2008-01-27 21:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-04 00:05 . 2008-06-27 12:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 22:44 . 2009-05-03 22:44 -------- d-----w- c:\program files\Downloaded Installers
2009-05-03 21:28 . 2009-05-03 17:17 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\AVGTOOLBAR
2009-05-03 17:17 . 2008-05-15 22:58 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-03 17:17 . 2008-01-27 21:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-03 17:17 . 2008-05-15 22:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-03 12:47 . 2009-05-03 12:46 -------- d-----w- c:\program files\Defraggler
2009-04-29 22:50 . 2009-04-18 14:22 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\LimeWire
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-23 01:29 . 2009-01-21 00:00 2828 -csha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-23 01:29 . 2009-01-21 00:00 2828 -csha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-23 01:18 . 2009-04-23 01:18 -------- d-----w- c:\program files\Wyzo
2009-04-23 00:54 . 2008-02-12 22:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-17 22:11 . 2009-02-06 00:18 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Download Manager
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 19:58 . 2009-04-10 19:58 45056 ----a-r- c:\documents and settings\AndreaWatson\Application Data\Microsoft\Installer\{0A28C610-EE06-4A33-BB56-A2155B524916}\ARPPRODUCTICON.exe
2009-04-08 11:32 . 2009-04-08 11:32 152576 ----a-w- c:\documents and settings\AndreaWatson\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 00:47 . 2009-03-28 00:47 305664 ----a-w- c:\documents and settings\AndreaWatson\Application Data\Thinstall\Program Data\40000013a000002i\Illustrator.exe
2008-09-10 05:21 . 2009-03-04 03:35 3769344 ----a-w- c:\program files\WinBootstrapper.msi
2008-09-10 04:12 . 2009-03-04 03:35 400 ----a-w- c:\program files\deployment.xml
2008-09-10 04:12 . 2009-03-04 03:35 399 ----a-w- c:\program files\uninstall.xml
2008-08-18 17:24 . 2009-03-04 03:34 2448358 ----a-w- c:\program files\WinBootstrapper1.cab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-10-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-30 118784]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-13 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]

c:\documents and settings\AndreaWatson\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-1-27 157008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 17:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 15:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]
R0 Gernuwa;Gernuwa;c:\windows\system32\drivers\GERNUWA.sys [4/21/2003 1:00 PM 13898]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/15/2008 6:58 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/15/2008 6:58 PM 108552]
R1 awecho;awecho;c:\windows\system32\drivers\awechomd.sys [3/5/2004 12:52 PM 8368]
R1 eabfiltr;EABFiltr;c:\windows\system32\drivers\eabfiltr.sys [1/27/2008 5:10 PM 7432]
R1 SCDEmu;SCDEmu;c:\windows\system32\drivers\scdemu.sys [11/2/2008 4:44 AM 56572]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;c:\windows\system32\drivers\wmiacpi.sys [1/27/2008 10:28 AM 8832]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/7/2009 9:47 AM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\camcaud.sys [1/27/2008 4:39 PM 292352]
R3 CAMCHALA;CAMCHALA;c:\windows\system32\drivers\camchal.sys [1/27/2008 4:39 PM 274688]
R3 HSFHWICH;HSFHWICH;c:\windows\system32\drivers\HSFHWICH.sys [1/27/2008 4:39 PM 199552]
R3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [10/1/2003 11:54 AM 184832]
R3 SynTP;Synaptics TouchPad Driver;c:\windows\system32\drivers\SynTP.sys [1/27/2008 4:40 PM 182720]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASDIFSV.SYS --> c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASKUTIL.sys --> c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 adfs;adfs; [x]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/7/2009 9:47 AM 29208]
S3 BCM42RLY;BCM42RLY; [x]
S3 BCM43XX;802.11 Network Adapter Driver;c:\windows\system32\drivers\BCMWL5.SYS [1/27/2008 4:42 PM 371712]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;c:\windows\system32\CBTNDIS5.sys [1/2/2009 3:13 PM 17142]
S3 odysseyIM4;Odyssey Network Agent Miniport;c:\windows\system32\drivers\odysseyIM4.sys [9/25/2004 12:36 AM 173056]
S3 SASENUM;SASENUM;\??\c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASENUM.SYS --> c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASENUM.SYS [?]
S3 WpdUsb;WpdUsb;c:\windows\system32\drivers\wpdusb.sys [10/18/2006 9:00 PM 38528]
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
mWindow Title =
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {6AE60EAB-0EAF-4F38-AE29-EEB9A97FE632} = 216.144.187.37,204.186.0.201
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?7?0?3??????? ???B???????????????B? ??????

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\docume~1\ANDREA~1\LOCALS~1\Temp\catchme.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-06-15 23:31
ComboFix2.txt 2009-06-15 02:45

Pre-Run: 14,633,574,400 bytes free
Post-Run: 14,638,964,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

235 --- E O F --- 2009-06-14 03:05

second requested log:

ComboFix 09-06-14.02 - AndreaWatson 06/15/2009 19:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.583 [GMT -4:00]
Running from: c:\documents and settings\AndreaWatson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AndreaWatson\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
"c:\windows\system32\drivers\gaopdxkaiddtpp.sys"
"c:\windows\system32\drivers\gaopdxserv.sys"
"c:\windows\system32\drivers\ovfsthxbborujnv.sy_"
"c:\windows\system32\drivers\ovfsthxbborujnv.sys"
"c:\windows\system32\drivers\ovfsthxdoyltfqh"
"c:\windows\system32\ovfsthxkiqorcvh.da_"
"c:\windows\system32\ovfsthxsntsecbo.dl_"
"c:\windows\system32\ovfsthxxvrtfhwx.dl_"
.

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-14 17:28 . 2009-06-14 17:28 -------- d-----w- c:\program files\Bluetack
2009-06-14 00:27 . 2009-06-14 00:27 -------- d-----w- c:\documents and settings\AndreaWatson\Local Settings\Application Data\AVG Security Toolbar
2009-06-13 20:10 . 2009-06-13 20:10 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-13 20:10 . 2009-06-13 20:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-13 20:04 . 2009-05-18 13:42 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-11 03:27 . 2009-06-11 03:27 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\WinPatrol
2009-06-11 03:27 . 2008-01-27 19:53 0 ----a-w- c:\documents and settings\AndreaWatson\Application Data\WinPatrol\Config.sys
2009-06-11 03:27 . 2008-01-27 19:53 0 ----a-w- c:\documents and settings\AndreaWatson\Application Data\WinPatrol\Autoexec.bat
2009-06-11 03:27 . 2009-06-11 03:27 -------- d-----w- c:\program files\BillP Studios
2009-06-10 21:10 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 21:10 . 2009-06-10 21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-10 21:10 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 22:49 . 2009-06-09 22:50 -------- dc----w- C:\rsit
2009-06-09 14:30 . 2009-06-11 14:40 -------- dc----w- C:\ToolBar SD
2009-06-09 13:57 . 2009-06-09 13:58 -------- d-----w- c:\documents and settings\Michael Watson\Application Data\AVGTOOLBAR
2009-06-08 00:28 . 2009-06-08 00:28 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Thunderbird
2009-06-08 00:28 . 2009-06-08 00:28 335 ----a-w- c:\windows\mozregistry.dat
2009-06-08 00:28 . 2009-06-08 00:28 -------- d-----w- c:\program files\Netscape
2009-06-08 00:27 . 2009-06-08 00:27 9728 ----a-w- c:\windows\system32\rnaph.dll
2009-06-03 22:26 . 2009-06-03 22:26 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Symantec
2009-06-03 22:25 . 2009-06-03 22:25 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-03 22:25 . 2009-06-03 22:25 104144 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-03 22:25 . 2009-06-03 22:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-03 22:24 . 2009-06-03 22:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-03 22:24 . 2009-06-03 22:25 -------- d-----w- c:\program files\Symantec
2009-05-29 00:58 . 2009-06-10 14:20 -------- dc----w- c:\documents and settings\All Users\Application Data\Uniblue
2009-05-29 00:43 . 2009-05-29 01:27 266072 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-29 00:41 . 2009-05-29 00:41 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-29 00:40 . 2009-05-29 00:40 -------- d-----w- c:\program files\Reference Assemblies
2009-05-29 00:38 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-29 00:38 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-29 00:38 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-05-29 00:38 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-05-29 00:38 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-29 00:38 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-29 00:38 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-05-29 00:38 . 2009-05-29 00:40 -------- dc----w- C:\89469f0340b713fc958d
2009-05-28 23:59 . 2009-05-28 23:59 -------- dc-h--r- C:\AHCache
2009-05-23 23:42 . 2009-05-23 23:42 -------- d-----w- c:\program files\ZEMNOTT
2009-05-23 20:36 . 2009-05-23 20:36 -------- d-----w- c:\program files\KingsIsle Entertainment
2009-05-18 18:36 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 22:46 . 2008-01-27 19:52 83874 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-14 17:44 . 2008-01-27 21:17 122656 ----a-w- c:\documents and settings\AndreaWatson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 20:07 . 2008-05-15 22:58 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 14:29 . 2008-01-27 22:05 -------- d-----w- c:\program files\Lavasoft
2009-06-10 14:25 . 2008-01-27 21:12 -------- d-----w- c:\program files\Java
2009-06-10 14:21 . 2009-05-13 22:37 -------- d-----w- c:\program files\Uniblue
2009-06-10 14:20 . 2009-05-11 03:17 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Uniblue
2009-06-09 22:32 . 2009-01-20 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-06-08 00:28 . 2008-11-02 15:09 644 -c--a-w- c:\windows\nsreg.dat
2009-06-06 00:39 . 2009-05-07 13:37 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\AVG8
2009-05-29 00:41 . 2009-05-03 00:42 -------- d-----w- c:\program files\MSBuild
2009-05-26 21:25 . 2009-03-23 01:41 -------- d-----w- c:\program files\Oberon Media
2009-05-23 23:42 . 2008-01-27 20:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 13:20 . 2009-05-04 00:35 117760 ----a-w- c:\documents and settings\AndreaWatson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-20 12:25 . 2008-05-15 22:57 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-16 11:51 . 2009-05-16 11:51 -------- d-----w- c:\program files\Trend Micro
2009-05-14 10:49 . 2009-05-14 10:49 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-05-14 10:26 . 2009-05-14 10:26 -------- dc----w- c:\documents and settings\All Users\Application Data\Babylon
2009-05-14 10:26 . 2009-05-14 10:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Babylon
2009-05-13 22:40 . 2009-05-13 22:39 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\System Tweaker
2009-05-12 10:32 . 2009-05-12 10:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-05-07 23:39 . 2009-02-27 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 15:29 . 2009-05-07 15:14 202 -c--a-w- C:\43214354.bat
2009-05-07 13:50 . 2009-05-07 13:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-05-07 13:47 . 2009-05-07 13:47 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-05-07 13:47 . 2009-05-07 13:47 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-05-04 00:34 . 2009-05-04 00:34 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-04 00:34 . 2009-05-04 00:34 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\SUPERAntiSpyware.com
2009-05-04 00:31 . 2008-01-27 21:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-04 00:05 . 2008-06-27 12:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 22:44 . 2009-05-03 22:44 -------- d-----w- c:\program files\Downloaded Installers
2009-05-03 21:28 . 2009-05-03 17:17 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\AVGTOOLBAR
2009-05-03 17:17 . 2008-05-15 22:58 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-03 17:17 . 2008-01-27 21:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-03 17:17 . 2008-05-15 22:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-03 12:47 . 2009-05-03 12:46 -------- d-----w- c:\program files\Defraggler
2009-04-29 22:50 . 2009-04-18 14:22 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\LimeWire
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-23 01:29 . 2009-01-21 00:00 2828 -csha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-23 01:29 . 2009-01-21 00:00 2828 -csha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-23 01:18 . 2009-04-23 01:18 -------- d-----w- c:\program files\Wyzo
2009-04-23 00:54 . 2008-02-12 22:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-17 22:11 . 2009-02-06 00:18 -------- d-----w- c:\documents and settings\AndreaWatson\Application Data\Download Manager
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 19:58 . 2009-04-10 19:58 45056 ----a-r- c:\documents and settings\AndreaWatson\Application Data\Microsoft\Installer\{0A28C610-EE06-4A33-BB56-A2155B524916}\ARPPRODUCTICON.exe
2009-04-08 11:32 . 2009-04-08 11:32 152576 ----a-w- c:\documents and settings\AndreaWatson\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 00:47 . 2009-03-28 00:47 305664 ----a-w- c:\documents and settings\AndreaWatson\Application Data\Thinstall\Program Data\40000013a000002i\Illustrator.exe
2008-09-10 05:21 . 2009-03-04 03:35 3769344 ----a-w- c:\program files\WinBootstrapper.msi
2008-09-10 04:12 . 2009-03-04 03:35 400 ----a-w- c:\program files\deployment.xml
2008-09-10 04:12 . 2009-03-04 03:35 399 ----a-w- c:\program files\uninstall.xml
2008-08-18 17:24 . 2009-03-04 03:34 2448358 ----a-w- c:\program files\WinBootstrapper1.cab
.

((((((((((((((((((((((((((((( SnapShot@2009-06-15_02.39.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 22:38 . 2009-06-15 22:38 16384 c:\windows\Temp\Perflib_Perfdata_a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-10-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-30 118784]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-13 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]

c:\documents and settings\AndreaWatson\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-1-27 157008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 17:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 15:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/15/2008 6:58 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/15/2008 6:58 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 8:35 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 8:35 PM 298776]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/7/2009 9:47 AM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]
R3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [10/1/2003 11:54 AM 184832]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASDIFSV.SYS --> c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASKUTIL.sys --> c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [5/7/2009 9:47 AM 1368952]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2/26/2009 12:46 PM 5576712]
S2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2/26/2009 12:46 PM 563720]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/7/2009 9:47 AM 29208]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/21/2009 7:56 PM 33752]
S3 SASENUM;SASENUM;\??\c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASENUM.SYS --> c:\documents and settings\AndreaWatson\Desktop\SUPERAntiSpyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
mWindow Title =
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {6AE60EAB-0EAF-4F38-AE29-EEB9A97FE632} = 216.144.187.37,204.186.0.201
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 19:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?7?0?3??????? ???B???????????????B? ??????

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\docume~1\ANDREA~1\LOCALS~1\Temp\catchme.dll
.
Completion time: 2009-06-15 20:01
ComboFix-quarantined-files.txt 2009-06-16 00:00
ComboFix2.txt 2009-06-15 23:32
ComboFix3.txt 2009-06-15 02:45

Pre-Run: 14,642,135,040 bytes free
Post-Run: 14,638,903,296 bytes free

233 --- E O F --- 2009-06-14 03:05
bronkette
Regular Member
 
Posts: 19
Joined: May 16th, 2009, 7:57 am
Advertisement
Register to Remove

Re: Annoying redirects

Unread postby askey127 » June 16th, 2009, 4:59 pm

bronkette,
Good you got the Recovery Console installed.
We should get some slightly different results, once the hiding aspect of the rootkit has been unmasked.
-----------------------------------------------------------
Copy/Paste/Run a Registry Edit
Copy/paste the following quote box into a new notepad document:
Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= -


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save it as File Type All Files (not as a Text document, or it won't work).
Save it to your Desktop as fixme.reg
Double click fixme.reg on your Desktop, and merge it into the registry when asked.
-----------------------------------------------------------
Reboot Windows.
-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to each folder shown below, highlight each one in turn shown in red, if found, and press Delete.
c:\documents and settings\AndreaWatson\Application Data\LimeWire\
c:\documents and settings\AndreaWatson\Application Data\Uniblue\
c:\documents and settings\All Users\Application Data\Corel\

You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
If you need to delete underlying files in a folder and are unable to do so:
Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that,, note the name of the file, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
----------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Be sure that every item is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents. The logs are listed and named by time/date stamp.
-----------------------------------------------------
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Need the log from Malwarebytes and log from Kaspersky.
Let me know how it goes and how it's running.
askey
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying redirects

Unread postby bronkette » June 17th, 2009, 10:32 pm

Here are the logs.

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/16/2009 10:15:09 PM
mbam-log-2009-06-16 (22-15-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170383
Time elapsed: 1 hour(s), 41 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 17, 2009 23:26:31
Records in database: 2358581
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 73636
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:29:20

No malware has been detected. The scan area is clean.

The selected area was scanned.



Everything is showing as clean but I still get that annoying "Connection Interrupted" error.

I don't suppose typing "I won't download bad stuff" 1000 times will help. :cry:

I still get that annoying error message "Connection Interrupted".
bronkette
Regular Member
 
Posts: 19
Joined: May 16th, 2009, 7:57 am

Re: Annoying redirects

Unread postby askey127 » June 18th, 2009, 6:25 am

bronkette,
Unfortunately, rootkits can do anything they want.
As you are now aware, they often come "free" with keygens and P2P shared files.
After a lot of work, your machine does appear to be free of malware now.

We are probably not the best to troubleshoot the Internet configuration issue. There are other very good forums that can do that for you.
---------------------------------------------------------
Good System/Hardware Help Forums
GeekstoGo here: http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html
or
Computer Trouble here: http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/

All may require you to register free before posting for help.

You should tell them you have had a rootkit removed, but there appears to be some residual leftover in your Internet configuration.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Annoying redirects

Unread postby bronkette » June 18th, 2009, 6:31 pm

Askey, thank you for all your help. You guys rock! :flower:
bronkette
Regular Member
 
Posts: 19
Joined: May 16th, 2009, 7:57 am

Re: Annoying redirects

Unread postby askey127 » June 18th, 2009, 7:26 pm

bronkette, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware