Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with Malware (Google redirection etc)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with Malware (Google redirection etc)

Unread postby dencar » April 8th, 2009, 7:32 am

I am seeking help to remove malware which is causing google redirection via js.doubleclick. I am unable to run/update malwarebytes anti-malware and my anti-virus, Sunbelt Vipre can't cope. It said it had removed Autorun(v) trojan this morning, but malware is still active. I hope someone is able to assist. Thanks.
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am
Advertisement
Register to Remove

Re: Help with Malware (Google redirection etc)

Unread postby dan12 » April 8th, 2009, 3:42 pm

Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

* Doubleclick HJTInstall.exe to install it.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

please post new HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help with Malware (Google redirection etc)

Unread postby dencar » April 8th, 2009, 6:52 pm

Thank you, dan12, here is the Hijack This logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:50 AM, on 9/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\pyTivo\pyTivoService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Python26\python.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\stsystra.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\InkSaver\InkSaver.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BWMeter\BWMeter.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com.au/ig/dell?hl=en& ... bd=4070620
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9494049687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3660916218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D7216A-4289-44B3-9272-EE21828F9C80}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{75C82845-E8EB-4315-9B35-374E64AC202D}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC007052-B28C-42BC-B546-6A5D61A1635D}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\..\{24D7216A-4289-44B3-9272-EE21828F9C80}: NameServer = 85.255.112.61,85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.61,85.255.112.172
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: pyTivo - Unknown owner - C:\Program Files\pyTivo\pyTivoService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: ToppyPC Scheduler - JDASoft - C:\Program Files\JDASoft\ToppyPC\web\bin\Scheduler.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13617 bytes
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am

Re: Help with Malware (Google redirection etc)

Unread postby dan12 » April 8th, 2009, 7:02 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help with Malware (Google redirection etc)

Unread postby dencar » April 8th, 2009, 8:02 pm

Hi Dan,
Thanks for the speedy reply. Here is the program list:

1Click DVD Copy Pro 3.3.7.0
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
ActivePython-2.2
ActiveState ActivePython 2.6.1.1
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11
AnyDVD
Apple Software Update
ArcSoft Software Suite
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Booster 1.03
Broadcom Management Programs
BWMeter v4.2.2
Canon Camera Window for ZoomBrowser EX
Canon i865
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon ScanGear Toolbox CS 2.2
Canon Utilities 3D-PhotoPrint
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Easy-PhotoPrint Plus
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CDDRV_Installer
CD-LabelPrint
Chameleon Clock 5.0
Conexant HDA D110 MDC V.92 Modem
ConvertXtoDVD 3.4.8.123
Critical Update for Windows Media Player 11 (KB959772)
Dell Support 3.2.1
Dell Support Center (Support Software)
DellConnect
Digital Line Detect
DirectShow Dump
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Decrypter (Remove Only)
DVD Identifier
DVDAuthorGUI (remove only)
DVD-lab PRO 2.51
Foxit PDF Creator
Foxit PDF Editor
Foxit Reader
GOPlayer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
ImgBurn
InkSaver
Intel(R) PROSet/Wireless Software
Internode Monthly Usage Meter 7.1r
Java(TM) 6 Update 13
JBidwatcher 2
KhalInstallWrapper
K-Lite Codec Pack 4.7.5 (Full)
LoadIt
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
Logitech SetPoint
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
Moon Phase Calculator 3.45
Mozilla Firefox (3.0.8)
Mozilla Thunderbird (2.0.0.21)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
Nero 7 Essentials
neroxml
NetWaiting
Network Magic
Network Print Monitor for Windows 2000/XP/2003/Vista
NewsLeecher v3.9 Beta 8
OpenOffice.org 3.0
Paragon Drive Backup 8.51 Professional Trial
Paragon Partition Manager 9.0 Professional
PeerGuardian 2.0
Pegasus Mail
PHOTOfunSTUDIO -viewer-
PySolitaire 0.10
Python 2.6 PIL-1.1.6
pyTivo wmcbrine-2009.03.19-RC1
QuickSet
QuickTime
RealPlayer
RegistryFix v7.0
Remote Control USB Driver
Secunia PSI
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sharp World Clock 1.10
Signature Creator 1.12
Skype™ 3.8
Solitaire City
SolSuite 2009 v9.1
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sunbelt Personal Firewall
Synaptics Pointing Device Driver
T2Sami Desktop
TiVo Desktop 2.7
TiVo Desktop 2.7
TiVoPlayList v0.67c
TMPGEnc DVD Author 3 with DivX Authoring
Topfield Tools
ToppyPC 3.3
ToppyTools Suite 2.0.0.57
TVAP Ver. 0.72
Tweak UI
UltimateDefrag 2008
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
URL Assistant
VC80CRTRedist - 8.0.50727.762
VideoReDo/Plus Version 2.5.4.507
Viewpoint Media Player (Remove Only)
WIDCOMM Bluetooth Software
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinPcap 4.0.2
WinRAR archiver
WinZip 11.2
XnView 1.95.2
Your Uninstaller! 2008 Version 6.0

Regards,
Dennis
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am

Re: Help with Malware (Google redirection etc)

Unread postby dan12 » April 8th, 2009, 8:20 pm

Hi, Dennis,


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help with Malware (Google redirection etc)

Unread postby dencar » April 8th, 2009, 9:31 pm

Hi Dan,
Here are ComboFix.txt:

ComboFix 09-04-04.01 - Dennis 2009-04-09 10:57:19.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1560 [GMT 10:00]
Running from: c:\documents and settings\Dennis\Desktop\Combo-Fix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)
FW: Sunbelt Personal Firewall *enabled*
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Dennis\Application Data\inst.exe
c:\documents and settings\Dennis\Application Data\vertXtoDVD3_setup_3.4.7.121.exe
c:\program files\keygen.exe
c:\recycler\S-2-7-98-100026606-100014430-100009423-8195.com
c:\windows\system32\_005225_.tmp.dll
c:\windows\system32\_005226_.tmp.dll
c:\windows\system32\_005227_.tmp.dll
c:\windows\system32\_005228_.tmp.dll
c:\windows\system32\_005235_.tmp.dll
c:\windows\system32\_005236_.tmp.dll
c:\windows\system32\_005237_.tmp.dll
c:\windows\system32\_005238_.tmp.dll
c:\windows\system32\_005240_.tmp.dll
c:\windows\system32\_005241_.tmp.dll
c:\windows\system32\_005244_.tmp.dll
c:\windows\system32\_005245_.tmp.dll
c:\windows\system32\_005247_.tmp.dll
c:\windows\system32\_005248_.tmp.dll
c:\windows\system32\_005249_.tmp.dll
c:\windows\system32\_005251_.tmp.dll
c:\windows\system32\_005254_.tmp.dll
c:\windows\system32\_005255_.tmp.dll
c:\windows\system32\_005259_.tmp.dll
c:\windows\system32\_005260_.tmp.dll
c:\windows\system32\_005262_.tmp.dll
c:\windows\system32\_005264_.tmp.dll
c:\windows\system32\_005265_.tmp.dll
c:\windows\system32\_005267_.tmp.dll
c:\windows\system32\_005268_.tmp.dll
c:\windows\system32\_005269_.tmp.dll
c:\windows\system32\_005270_.tmp.dll
c:\windows\system32\_005271_.tmp.dll
c:\windows\system32\_005274_.tmp.dll
c:\windows\system32\_005275_.tmp.dll
c:\windows\system32\_005276_.tmp.dll
c:\windows\system32\_005277_.tmp.dll
c:\windows\system32\_005278_.tmp.dll
c:\windows\system32\_005283_.tmp.dll
c:\windows\system32\_005285_.tmp.dll
c:\windows\system32\_005286_.tmp.dll
c:\windows\system32\drivers\gaopdxwuruxxuktxrrjlhfpsjofqrdyejfqnwu.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxeotxfafavovoqiwdsjhaelmojueqfnsa.dll
c:\windows\system32\Plugins
c:\windows\system32\Plugins\NPLeechGet.dll
c:\windows\system32\pthreadGC2.dll

----- BITS: Possible infected sites -----

hxxp://webstore.loadit.com.au
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 08:47 . 2009-04-09 08:47 <DIR> d-------- c:\program files\Trend Micro
2009-04-08 18:02 . 2009-04-08 21:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-08 18:02 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 18:02 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-08 08:00 . 2009-04-08 08:00 0 --a------ c:\windows\system32\SBRC.dat
2009-04-07 21:11 . 2001-05-04 13:58 114,688 --a------ C:\Fport.exe
2009-04-06 22:07 . 2009-04-06 22:07 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-04-06 22:07 . 2008-09-25 04:41 839,680 --a------ c:\windows\system32\lameACM.acm
2009-04-06 22:07 . 2008-12-08 04:08 795,648 --a------ c:\windows\system32\xvidcore.dll
2009-04-06 22:07 . 2004-01-26 02:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2009-04-06 22:07 . 2008-09-17 05:23 168,448 --a------ c:\windows\system32\unrar.dll
2009-04-06 22:07 . 2008-12-08 04:08 130,048 --a------ c:\windows\system32\xvidvfw.dll
2009-04-06 22:07 . 2007-09-21 10:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-04-06 22:07 . 2009-03-03 04:10 67,584 --a------ c:\windows\system32\ff_vfw.dll
2009-04-06 22:07 . 2007-07-11 02:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-04-06 22:07 . 2008-10-03 22:30 414 --a------ c:\windows\system32\lame_acm.xml
2009-04-06 21:23 . 2009-04-06 21:23 <DIR> d-------- c:\program files\GOPlayer
2009-04-06 21:18 . 2009-04-06 21:18 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-04-02 10:03 . 2009-04-02 10:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\DeskSoft
2009-04-02 09:54 . 2009-04-02 09:56 <DIR> d-------- c:\program files\BWMeter
2009-04-02 09:54 . 2009-04-02 09:54 <DIR> d-------- c:\documents and settings\Dennis\Application Data\DeskSoft
2009-04-02 09:54 . 2009-04-02 09:54 26,920 --a------ c:\windows\system32\drivers\dsnpfd.sys
2009-04-01 21:27 . 2009-04-01 21:27 <DIR> d-------- c:\documents and settings\Dennis\Application Data\PySolitaire
2009-04-01 21:22 . 2009-04-01 21:22 <DIR> d-------- C:\Python22
2009-04-01 09:14 . 2009-04-01 21:27 <DIR> d-------- c:\program files\PySolitaire
2009-03-30 22:01 . 2009-03-30 22:01 <DIR> d-------- c:\documents and settings\Dennis\.idlerc
2009-03-26 17:47 . 2009-03-26 17:47 <DIR> d-------- c:\program files\Secunia
2009-03-26 10:05 . 2009-03-26 10:05 <DIR> d-------- c:\documents and settings\Dennis\Application Data\TiVo
2009-03-24 21:03 . 2009-03-24 21:03 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2009-03-24 10:39 . 2009-03-24 10:41 <DIR> d-------- c:\program files\DirectShow Dump
2009-03-24 10:35 . 2009-03-24 10:35 <DIR> d-------- c:\program files\TVAP
2009-03-24 10:35 . 2009-03-24 10:35 <DIR> d-------- c:\program files\Common Files\TivoDecode
2009-03-24 10:33 . 2009-03-24 10:33 <DIR> d-------- c:\program files\VideoReDoPlus
2009-03-24 10:33 . 2009-03-24 10:33 <DIR> d-------- c:\documents and settings\Dennis\Application Data\VideoReDoPlus
2009-03-24 09:40 . 2009-03-24 10:18 <DIR> d-------- c:\program files\pyTivo
2009-03-24 09:32 . 2009-04-01 08:17 <DIR> d-------- C:\Python26
2009-03-24 08:58 . 2009-03-24 08:58 <DIR> d-------- c:\program files\TiVoPlayList
2009-03-24 08:58 . 2004-03-09 00:00 1,010,720 --a------ c:\windows\system32\Mschrt20.ocx
2009-03-24 08:58 . 2004-03-09 00:00 260,880 --a------ c:\windows\system32\Msflxgrd.ocx
2009-03-23 14:19 . 2009-03-23 14:45 <DIR> d-------- c:\program files\DVDlabPro2
2009-03-23 14:14 . 2009-03-23 14:17 <DIR> d-------- c:\program files\T2Sami
2009-03-21 18:32 . 2009-03-21 18:32 <DIR> d-------- c:\program files\TiVo
2009-03-21 18:32 . 2009-03-21 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TiVo
2009-03-21 18:04 . 2009-03-21 18:32 <DIR> d-------- c:\program files\Common Files\TiVo Shared
2009-03-21 09:04 . 2009-03-21 18:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-20 22:26 . 2009-03-22 21:59 <DIR> d-------- c:\program files\QuickTime
2009-03-20 22:03 . 2009-03-20 22:03 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-20 21:54 . 2009-03-04 23:30 69,936 --a------ c:\windows\system32\drivers\sbapifs.sys
2009-03-20 21:52 . 2008-09-12 09:38 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2009-03-20 21:45 . 2009-03-20 21:45 <DIR> d-------- c:\program files\Apple Software Update
2009-03-20 21:45 . 2009-03-20 21:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-20 21:40 . 2009-03-22 21:57 <DIR> d-------- c:\program files\Bonjour
2009-03-20 10:35 . 2003-05-14 04:50 73,728 -ra------ c:\windows\system32\cnm7C0.tmp
2009-03-19 22:13 . 2009-03-19 22:13 <DIR> d--hs---- c:\documents and settings\Dennis\IECompatCache
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\VoIP
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Usenet
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\TV Radio
2009-03-19 22:12 . 2009-04-02 22:00 <DIR> d-------- C:\Topfield
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Tivo
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Internet Phones
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Forums
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\DVD
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Computer
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Banks Credit Cards Utilities
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Airlines
2009-03-19 22:12 . 2009-03-19 22:12 <DIR> d-------- C:\Admin Other
2009-03-17 13:26 . 2009-03-17 13:26 65,320 --a------ c:\windows\system32\sbbd.exe
2009-03-13 09:00 . 2009-03-13 09:31 <DIR> d-------- c:\program files\Microsoft Visual Studio 8(2)
2009-03-13 08:44 . 2009-03-13 08:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-13 07:19 . 2009-01-10 05:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-11 22:25 . 2008-05-14 09:34 1,000,744 --a------ c:\windows\system32\ShellManager10E2D762.dll
2009-03-11 22:25 . 2008-04-10 19:52 648,192 --a------ c:\windows\system32\NEROINSTAEC43759.DB
2009-03-11 22:23 . 2009-03-14 18:24 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Ahead
2009-03-11 22:19 . 2009-03-11 22:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-11 17:12 . 2008-09-14 18:36 25,272 --a------ c:\windows\system32\drivers\purendis.sys
2009-03-11 17:12 . 2008-09-14 18:36 23,992 --a------ c:\windows\system32\drivers\pnarp.sys
2009-03-11 17:11 . 2009-03-11 17:11 <DIR> d-------- c:\program files\Common Files\Pure Networks Shared
2009-03-11 15:50 . 2007-11-06 10:01 3,077,416 --a------ c:\windows\system32\AdvrCntr2D6E0B790.dll
2009-03-11 14:54 . 2009-03-11 14:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ahead
2009-03-11 14:51 . 2009-03-11 14:51 <DIR> d-------- c:\program files\Nero
2009-03-11 14:47 . 2009-03-11 14:47 <DIR> d-------- c:\program files\LG USB Booster
2009-03-11 14:47 . 2007-11-08 00:18 7,936 -ra------ c:\windows\system32\drivers\inidvd.sys
2009-03-11 14:45 . 2007-01-08 22:17 27,168 --------- c:\windows\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 01:11 --------- d-----w c:\program files\PeerGuardian2
2009-04-09 01:11 --------- d-----w c:\documents and settings\Dennis\Application Data\uTorrent
2009-04-09 01:10 --------- d-----w c:\program files\Chameleon Clock
2009-04-08 23:03 --------- d-----w c:\program files\Mozilla Thunderbird
2009-04-08 11:56 --------- d-----w c:\documents and settings\Dennis\Application Data\SolSuite
2009-04-08 00:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-07 05:15 --------- d-----w c:\documents and settings\Dennis\Application Data\NewsLeecher
2009-04-07 03:10 --------- d-----w c:\documents and settings\Dennis\Application Data\Vso
2009-04-06 11:19 --------- d-----w c:\program files\DivX
2009-04-03 12:12 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro
2009-04-03 12:11 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-04-03 12:11 47,360 ----a-w c:\documents and settings\Dennis\Application Data\pcouffin.sys
2009-04-01 23:58 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-31 22:13 --------- d-----w c:\program files\Java
2009-03-24 01:08 --------- d-----w c:\program files\OpenOffice.org 3
2009-03-24 00:27 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-24 00:26 --------- d-----w c:\program files\MSBuild
2009-03-23 04:14 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-20 12:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-20 12:03 --------- d-----w c:\program files\MSECache
2009-03-20 01:48 --------- d-----w c:\program files\Canon
2009-03-11 12:20 --------- d-----w c:\program files\Common Files\Ahead
2009-03-11 07:11 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2009-03-11 05:46 --------- d-----w c:\program files\CyberLink
2009-03-02 22:38 --------- d-----w c:\program files\Nero 9 Micro
2009-03-02 22:37 --------- d-----w c:\program files\Common Files\Nero
2009-02-26 07:30 --------- d-----w c:\program files\LG Software Innovations
2009-02-24 19:35 43,528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-20 11:52 --------- d-----w c:\program files\VSO
2009-02-14 23:33 --------- d-----w c:\program files\uTorrent
2009-02-11 00:39 --------- d-----w c:\program files\Flock
2009-02-11 00:39 --------- d-----w c:\documents and settings\Dennis\Application Data\Flock
2008-10-19 01:54 1,663 ----a-w c:\windows\inf\COM16F.tmp
2008-10-17 12:06 3,579,904 ----a-w c:\documents and settings\Dennis\Application Data\tjender.exe
2008-10-15 11:25 177,152 ----a-w c:\program files\utorrent.exe
2008-08-18 09:47 1,663 ----a-w c:\windows\inf\COM16A.tmp
2008-07-03 03:08 1,663 ----a-w c:\windows\inf\COM169.tmp
2007-08-11 02:37 60,968 ----a-w c:\documents and settings\Dennis\GoToAssistDownloadHelper.exe
2009-02-24 19:34 1,044,480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 200,704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InternodeUsage"="c:\progra~1\INTERN~2\mum.exe" [2008-10-02 1339904]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2007-09-18 699392]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-11-16 313856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-15 270128]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"InkSaver"="c:\program files\InkSaver\InkSaver.exe" [2003-10-20 458752]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-03-11 705832]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-03-17 955688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-04 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Dennis\Start Menu\Programs\Startup\
BWMeter.lnk - c:\program files\BWMeter\BWMeter.exe [2009-04-02 403456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-06-20 24576]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-08-24 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-28 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO -viewer-.lnk]
backup=c:\windows\pss\PHOTOfunSTUDIO -viewer-.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^WorldClock.lnk]
backup=c:\windows\pss\WorldClock.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\µTorrent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-02-20 14:29 1191936 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-08-14 00:04 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-03-11 12:44 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 18:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 18:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-08-24 15:44 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-05-28 08:27 570664 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-05-02 20:16 184320 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quick Links]
--a------ 2008-04-27 22:43 350720 c:\program files\ToppyTools\Quick Links\Quick-Links.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Record-Monitor]
--a------ 2008-04-27 22:44 242688 c:\program files\ToppyTools\Record Monitor\Record-Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-02-04 09:54 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toppy Monitor]
--a------ 2008-04-27 22:45 153600 c:\program files\ToppyTools\Toppy Monitor\Toppy-Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2009-02-15 09:33 270128 c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2008-10-10 14:46 69632 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 18:30 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"scan"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"48228:TCP"= 48228:TCP:utorrent
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-01-12 39472]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-03-20 13360]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-01-23 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-01-23 202928]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-28 10384]
R2 pyTivo;pyTivo;c:\program files\pyTivo\pyTivoService.exe [2008-05-03 77824]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-03-20 69936]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 dsnpfd;DeskSoft Service;c:\windows\system32\drivers\dsnpfd.sys [2009-04-02 26920]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [2009-03-11 7936]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-01-23 65576]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-11-16 102912]
S2 EsetNod32Fix;Nod32 AV;c:\windows\regedit.exe [2004-08-04 146432]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2009-03-17 894248]
S2 ToppyPC Scheduler;ToppyPC Scheduler;c:\program files\JDASoft\ToppyPC\web\bin\Scheduler.exe [2007-09-07 20480]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-03-24 7808]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-22 92464]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2008-05-14 25856]
S3 TFBULK;Topfield USB client driver;c:\windows\system32\drivers\TfBulk.sys [2003-08-26 41996]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
bdx REG_MULTI_SZ sysagent scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-07 c:\windows\Tasks\Defrag Job #00.job
- c:\program files\DiskTrix\UltimateDefrag\UDefrag.exe []

2009-03-02 c:\windows\Tasks\Defrag Job #10.job
- c:\program files\DiskTrix\UltimateDefrag\UDefrag.exe []

2009-04-07 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe []

2009-04-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.abc.net.au/news/
uInternet Connection Wizard,ShellNext = hxxp://desktop.google.com/uninstall-feedback.html?hl=en
uInternet Settings,ProxyOverride = *.local
IE: Download Link Using DownloadStudio...
IE: Download List Of Files Using DownloadStudio...
IE: E&xport to Microsoft Excel
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Subscribe To RSS/Podcast Using DownloadStudio...
TCP: {FC007052-B28C-42BC-B546-6A5D61A1635D} = 192.168.0.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\ydulihqc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.abc.net.au/news
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 11:09:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1655092333-1931390277-1441495213-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E297E0D2-BBDC-E0A9-7599-BCEEEF8A860D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abapgajdadmfdidncldpkekmejkobdfjhd"=hex:61,61,00,00
"bbapgajdadmfdidnclocddbmihcdgdjebcka"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1112)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(992)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\python26\python.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-04-09 11:16:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 01:16:51
ComboFix2.txt 2008-09-01 01:00:07
ComboFix3.txt 2008-08-25 05:10:29
ComboFix4.txt 2008-08-23 23:46:07
ComboFix5.txt 2009-04-09 00:49:08

Pre-Run: 75,819,028,480 bytes free
Post-Run: 77,592,113,152 bytes free

441 --- E O F --- 2008-09-07 11:12:27

And HijackThis log number 2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:24 AM, on 9/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\pyTivo\pyTivoService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Python26\python.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\InkSaver\InkSaver.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\BWMeter\BWMeter.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com.au/ig/dell?hl=en& ... bd=4070620
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9494049687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3660916218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC007052-B28C-42BC-B546-6A5D61A1635D}: NameServer = 192.168.0.1
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: pyTivo - Unknown owner - C:\Program Files\pyTivo\pyTivoService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: ToppyPC Scheduler - JDASoft - C:\Program Files\JDASoft\ToppyPC\web\bin\Scheduler.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12944 bytes

Thanks again for your prompt help.
Regards,
Dennis
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am

Re: Help with Malware (Google redirection etc)

Unread postby dan12 » April 9th, 2009, 1:36 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

:utorrent

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

----------------------------



Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)


O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

-----------------------------


Update malwarebytes and do me a full scan,it should work now.


Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Let me see the malwarebytes report plus the kaspersky report

post a fresh HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help with Malware (Google redirection etc)

Unread postby dencar » April 9th, 2009, 4:56 pm

Hi Dan,

I thought I'd lodge an interim report because the Kaspersky scan has been running 7.5 hours but says it is only 31% complete and has only scanned 14500 items compared to the 192000 by malwarebytes.

I have uninstalled utorrent and removed the 3 items you nominated using HijackThis.

The malwarebytes scan report is as follows:

Malwarebytes' Anti-Malware 1.36
Database version: 1955
Windows 5.1.2600 Service Pack 3

9/04/2009 9:54:53 PM
mbam-log-2009-04-09 (21-54-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192067
Time elapsed: 1 hour(s), 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\GOPlayer\Uninstall.exe (Trojan.DNSChanger) -> No action taken.
C:\Program Files\SolSuite\SolSuite.Universal.Patch.exe (Trojan.Downloader) -> No action taken.

I'll report eventually with the Kaspersky report and an HJT log.

Dennis
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am

Re: Help with Malware (Google redirection etc)

Unread postby dan12 » April 9th, 2009, 6:12 pm

Thanks for the returned scan,unfortunately you haven't clicked fix selected items :( so you have to do malwarebytes again.
:) Things should start to seem better now.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help with Malware (Google redirection etc)

Unread postby dencar » April 9th, 2009, 6:41 pm

Oh, OK, I understood you were to check reports before I actioned them. Can I do that while Kaspersky is running? It will be days before it finishes.
Edit: I paused Kaspersky to do the malwarebytes scan and fix.
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am

Re: Help with Malware (Google redirection etc)

Unread postby dan12 » April 9th, 2009, 7:30 pm

Was there a report? will await Kaspersky report.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help with Malware (Google redirection etc)

Unread postby dencar » April 9th, 2009, 7:54 pm

Here is the malwarebytes report. Kaspersky scan resumed.

Malwarebytes' Anti-Malware 1.36
Database version: 1955
Windows 5.1.2600 Service Pack 3

10/04/2009 9:51:35 AM
mbam-log-2009-04-10 (09-51-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193451
Time elapsed: 53 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\GOPlayer\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\SolSuite\SolSuite.Universal.Patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Edit. Kaspersky scan could not be resumed and had to be re-started, losing 9.5 hours. Is it really necessary? Edit2: It was movies causing Kaspersky to go slow; deleting a lot of them sped up the scan, the report of which follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, April 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, April 09, 2009 11:00:31
Records in database: 2026641
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 118593
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 04:36:44


File name / Threat name / Threats count
C:\Program Files\Elaborate Bytes\CloneDVD2\Registration Tool.exe Infected: Trojan-Downloader.Win32.Dadobra.ccn 1
C:\Program Files\LG Software Innovations\1Click DVD Copy Pro\LG.Software.Innovations.Generic.Patch.v0.1-ICU.exe Infected: Trojan.Win32.Delf.bur 1

The selected area was scanned.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:14 PM, on 10/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\pyTivo\pyTivoService.exe
C:\Python26\python.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\InkSaver\InkSaver.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BWMeter\BWMeter.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client= ... bd=4070620
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9494049687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3660916218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC007052-B28C-42BC-B546-6A5D61A1635D}: NameServer = 192.168.0.1
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: pyTivo - Unknown owner - C:\Program Files\pyTivo\pyTivoService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: ToppyPC Scheduler - JDASoft - C:\Program Files\JDASoft\ToppyPC\web\bin\Scheduler.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12746 bytes
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am

Re: Help with Malware (Google redirection etc)

Unread postby dan12 » April 10th, 2009, 7:00 am

Can I ask, did you set this ip address?
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC007052-B28C-42BC-B546-6A5D61A1635D}: NameServer = 192.168.0.1


Remove the following two files.

C:\Program Files\Elaborate Bytes\CloneDVD2\Registration Tool.exe << This file
C:\Program Files\LG Software Innovations\1Click DVD Copy Pro\LG.Software.Innovations.Generic.Patch.v0.1-ICU.exe << This file

---------------------------

Registry Cleaners

I notice the presence of RegistryFix v7.0 Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html




Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Viewpoint Media Player , click Remove.


    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

please let me know how things are now.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help with Malware (Google redirection etc)

Unread postby dencar » April 10th, 2009, 8:08 am

Hello Dan,

I have followed all of your advice to the letter, with the exception of AOL. I can find it in 2 locations only, as an application extension, and I think it may be to do with my Logitech (Dell) mouse. I'll look to see whether Viewpoint player gets created again.

All is working well and I've learnt a few underlying lessons out of the episode. Now I have some procedures to undertake for Sunbelt Software, who make the Vipre anti-virus/anti-malware software I use. I want to know why I have apparently been let down by "active protection" and why deep-scanning didn't find these viruses and deal with them.

Please accept my thanks for your prompt, professional, effective and well-pitched handling of my case.

Regards,
Dennis

Edit. Sorry, I forgot to say that the ip address you mention is the address I assigned to my router.
dencar
Active Member
 
Posts: 10
Joined: April 8th, 2009, 7:15 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 278 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware