Google Re-Direct Virus

Computing.Net > Forums > Security and Virus > Google Re-Direct Virus - solved?

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Google Re-Direct Virus - solved?

Name: kbf1981
Date: September 20, 2008 at 16:37:12 Pacific
OS: Windows XP
CPU/Ram: ?
Product: Dell

Comment:

Hi everyone,
I ran through some of the guidelines I saw on here before for the google re-direct virus.
Basically, when I searched for something on Google.co.uk, the results page looked a little funny, and when I tried to click on any of the results, it would re-direct me to go.google.com via a number of different pages to some weird page full of ads.
This looks / sounds exactly like the other guys problem - i.e. the re-direct virus.
I've downloaded and run Malwarebtyes - that deleted 6 things. I've also downloaded and run ComboFix, and it appears to have fixed the search results problem....however the PC is still:
- running slow
- not letting some sites (e.g. some of the tech forums) load up (it says a connection to them couldn't be a established)
Here's my combofix log:
ComboFix 08-09-20.02 - Kiearn 2008-09-20 21:07:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1430 [GMT 1:00]
Running from: C:\Documents and Settings\Kiearn\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\tdsserv.sys
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\twain_16.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV

((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.
2008-09-20 20:44 . 2008-09-20 20:44 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Documents and Settings\Kiearn\Application Data\Malwarebytes
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 19:54 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-20 19:54 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 19:11 . 2008-09-20 20:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-18 19:23 . 2008-09-18 19:23 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-08-22 15:26 . 2007-02-07 08:19 921,600 --a------ C:\WINDOWS\system32\CNAP1NSK.DLL
2008-08-22 15:26 . 2007-04-01 16:00 204,800 --a------ C:\WINDOWS\system32\CNAC6EMU.DLL
2008-08-22 15:26 . 2007-04-01 16:00 102,453 --a------ C:\WINDOWS\system32\CNAC6SMK.DLL
2008-08-22 15:26 . 2007-04-02 02:41 63,168 --a------ C:\WINDOWS\system32\CNAC6RPK.exe
2008-08-22 15:26 . 2007-04-01 16:00 32,821 --a------ C:\WINDOWS\system32\CNAC6LMK.DLL
2008-08-22 15:26 . 2007-04-01 16:00 28,672 --a------ C:\WINDOWS\system32\CNAC6PTU.DLL
2008-08-22 15:25 . 2008-08-22 15:26 <DIR> d-------- C:\Program Files\Canon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-20 19:44 --------- d-----w C:\Program Files\Java
2008-09-19 13:08 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\SmartShopper
2008-09-18 12:41 --------- d-----w C:\Program Files\Lx_cats
2008-09-15 12:22 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\Skype
2008-08-16 15:56 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\Azureus
2008-08-05 09:00 --------- d-----w C:\Program Files\DYMO Label
2008-08-04 21:05 --------- d-----w C:\Program Files\Pure Networks
2008-08-04 21:04 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-08-04 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-08-04 20:31 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-05-08 14:35 56,912 ----a-w C:\Documents and Settings\Kiearn\g2mdlhlpx.exe
2008-02-27 13:47 0 ----a-w C:\Documents and Settings\Kiearn\iexplore.exe
2007-11-02 22:47 0 ----a-w C:\Documents and Settings\Kiearn\helpctr.exe
2002-04-16 10:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\flfnlf.sys
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\rlfnlf.sys
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\TMailRL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [2007-01-16 1335296]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 22880040]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-06-04 6210888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-02-28 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-09-20 140696]
"lxcqmon.exe"="C:\Program Files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]
"EzPrint"="C:\Program Files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]
"LXCQCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.exe" [2005-11-07 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-01 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2004-08-10 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Kiearn\\My Documents\\Software\\Azureus\\Azureus.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"C:\\WINDOWS\\system32\\lxcqcoms.exe"=
"C:\\WINDOWS\\system32\\CNAC6RPK.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56823:TCP"= 56823:TCP:Pando P2P TCP Listening Port
"56823:UDP"= 56823:UDP:Pando P2P UDP Listening Port
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-20 152984]
R2 lxcq_device;lxcq_device;C:\WINDOWS\system32\lxcqcoms.exe [2006-12-05 537520]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 24911]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8557b3ab-0ba0-11dc-b520-0018de37fefb}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe
*Newly Created Service* - TDSSSERV
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Vidalia - C:\Documents and Settings\Kiearn\My Documents\Software\Vidalia Bundle\Vidalia\vidalia.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kiearn\Application Data\Mozilla\Firefox\Profiles\a9zc2nhs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.ekmpowershop.com/
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 21:28:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSjcxe.sys"
.
r Running Proce
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\CNAC6RPK.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-20 21:30:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-20 20:30:37
Pre-Run: 51,273,277,440 bytes free
Post-Run: 51,185,958,912 bytes free
207 --- E O F --- 2008-09-13 08:08:31

So....does it look like I've fixed it or not? Is there something else wrong with my PC? I really need to get it fixed for Monday as I use it for work, so any help is VERY appreciated!!!!
Thanks,
KB

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 20, 2008 at 16:55:03 Pacific

Reply:

Appears you are still infected, but I suspect that the moderator will delete this as you posted a log without the request of a helper.
Repost once this thread is deleted and state only the problem.
Also you can really mess up you computer running these scans with someone assisting you. Its posted, high lighted ,quoted ... you name it..these programs will damage your computer and even then about one out of a hundred get damaged.

Response Number 2

Name: kbf1981
Date: September 20, 2008 at 17:39:52 Pacific

Reply:

Thanks, I just wanted to get rid of it. I didn't see any other option - I can't use my PC with the infection on, and it's stopping me working all weekend like I need / want to.
How do I go about getting rid of the existing infection?

Response Number 3

Name: jabuck
Date: September 20, 2008 at 20:50:43 Pacific

Reply:

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 4

Name: kbf1981
Date: September 21, 2008 at 03:14:06 Pacific

Reply:

Here's the log - thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:30, on 21/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxcqcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\CNAC6RPK.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\VM_STI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\WINDOWS\System32\DLA\DLACTRLW.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Kiearn\Desktop\HiJackThis(2).exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.exe VoIPVoice USB Camera
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 9300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.5.0\SmrtShpr.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.tescophoto.com/wpp/tesco...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcq_device - - C:\WINDOWS\system32\lxcqcoms.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11117 bytes

Response Number 5

Name: jabuck
Date: September 21, 2008 at 07:16:21 Pacific

Reply:

We need to run Malwarebytes and Combofix again.
Run Malware bytes first.
Be sure you follow the instructions in step 6. of Malwarebytes.

1. Click the Malwarebytes icon on your desktop.
2. Click update tab> check for updates
3. Once the program has updated, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
Now, run Combofix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Trend Micro antivirus, and any other antispyware that you may have.
2.
Disable ProcessGuard
A. Right-click the blue lock ProcessGuard icon located in the system tray.
B. Uncheck 'protection enabled'
C. Click yes.
D. Leave it off untill we get your computer clean.
3. Run Combofix and save its log.
4. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
5. Post the new Combofix log.

google ads wallpaper virus automatic re-direct website page html google page dell media direct	JQSIEStartDetectorImpl Class jqs_plugin.dll jqsiestartdetectorimpl class jqs_plugin.dll google re-directing in Mozilla
See More

Response Number 6

Name: kbf1981
Date: September 21, 2008 at 11:14:22 Pacific

Reply:

Here is the Malwarebytes log - I am just about to run Combofix after this reply:
Malwarebytes' Anti-Malware 1.28
Database version: 1186
Windows 5.1.2600 Service Pack 2
21/09/2008 18:57:43
mbam-log-2008-09-21 (18-57-43).txt
Scan type: Quick Scan
Objects scanned: 48864
Time elapsed: 3 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.

Response Number 7

Name: kbf1981
Date: September 21, 2008 at 12:45:08 Pacific

Reply:

Here is the NEW combofix log - is it gone?
ComboFix 08-09-20.02 - Kiearn 2008-09-21 20:37:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1494 [GMT 1:00]
Running from: C:\Documents and Settings\Kiearn\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat
.
((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.
2008-09-21 01:47 . 2008-09-21 01:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-21 01:45 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-09-21 01:40 . 2007-02-28 10:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-09-21 01:40 . 2007-02-28 10:15 2,017,280 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2008-09-21 00:26 . 2008-09-21 00:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-20 20:49 . 2008-04-14 01:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-09-20 20:48 . 2006-12-28 20:01 19,569 --a------ C:\WINDOWS\[u]0[/u]03440_.tmp
2008-09-20 20:44 . 2008-09-20 20:44 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Documents and Settings\Kiearn\Application Data\Malwarebytes
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 19:54 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-20 19:54 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 19:11 . 2008-09-21 11:18 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-20 16:46 . 2008-09-21 18:42 77,824 --a------ C:\WINDOWS\system32\TDSSdnpn.dll
2008-09-20 16:46 . 2008-09-21 18:41 55,296 --a------ C:\WINDOWS\system32\drivers\TDSSjcxe.sys
2008-09-20 16:46 . 2008-09-21 18:41 36,352 --a------ C:\WINDOWS\system32\TDSSjjsm.dll
2008-09-20 16:46 . 2008-09-21 18:42 29,184 --a------ C:\WINDOWS\system32\TDSSslsm.dll
2008-09-20 16:46 . 2008-09-21 18:41 11,264 --a------ C:\WINDOWS\system32\TDSShpue.dll
2008-09-20 16:46 . 2008-09-21 18:41 10,240 --a------ C:\WINDOWS\system32\TDSSevri.dll
2008-09-18 19:23 . 2008-09-18 19:23 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-08-22 15:26 . 2007-02-07 08:19 921,600 --a------ C:\WINDOWS\system32\CNAP1NSK.DLL
2008-08-22 15:26 . 2007-04-01 16:00 204,800 --a------ C:\WINDOWS\system32\CNAC6EMU.DLL
2008-08-22 15:26 . 2007-04-01 16:00 102,453 --a------ C:\WINDOWS\system32\CNAC6SMK.DLL
2008-08-22 15:26 . 2007-04-02 02:41 63,168 --a------ C:\WINDOWS\system32\CNAC6RPK.exe
2008-08-22 15:26 . 2007-04-01 16:00 32,821 --a------ C:\WINDOWS\system32\CNAC6LMK.DLL
2008-08-22 15:26 . 2007-04-01 16:00 28,672 --a------ C:\WINDOWS\system32\CNAC6PTU.DLL
2008-08-22 15:25 . 2008-08-22 15:26 <DIR> d-------- C:\Program Files\Canon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 19:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-21 19:13 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\Skype
2008-09-20 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-20 19:44 --------- d-----w C:\Program Files\Java
2008-09-19 13:08 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\SmartShopper
2008-09-18 12:41 --------- d-----w C:\Program Files\Lx_cats
2008-08-16 15:56 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\Azureus
2008-08-05 09:00 --------- d-----w C:\Program Files\DYMO Label
2008-08-04 21:05 --------- d-----w C:\Program Files\Pure Networks
2008-08-04 21:04 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-08-04 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-08-04 20:31 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 17:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-05-08 14:35 56,912 ----a-w C:\Documents and Settings\Kiearn\g2mdlhlpx.exe
2008-02-27 13:47 0 ----a-w C:\Documents and Settings\Kiearn\iexplore.exe
2007-11-02 22:47 0 ----a-w C:\Documents and Settings\Kiearn\helpctr.exe
2002-04-16 10:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\flfnlf.sys
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\rlfnlf.sys
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\TMailRL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-20_21.30.22.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-20 20:25:27 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-21 19:08:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-20 20:25:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-21 19:08:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-21 18:07:22 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
+ 2008-09-21 18:07:23 78,924 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
+ 2004-08-10 11:00:00 11,136 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]013\DriverFiles\i386\sffdisk.sys
+ 2004-08-10 11:00:00 10,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]013\DriverFiles\i386\sffp_sd.sys
+ 2004-08-10 11:00:00 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]014\DriverFiles\i386\intelppm.sys
+ 2004-08-10 11:00:00 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]015\DriverFiles\i386\intelppm.sys
+ 2004-08-10 11:00:00 67,584 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]016\DriverFiles\i386\sdbus.sys
+ 2004-08-12 16:45:54 137,728 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]017\DriverFiles\hdaudbus.sys
- 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-08-10 19:46:18 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-10-16 15:10:58 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-08-10 19:46:18 26,488 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2008-09-21 19:31:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [2007-01-16 1335296]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 22880040]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-06-04 6210888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-02-28 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-09-20 140696]
"lxcqmon.exe"="C:\Program Files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]
"EzPrint"="C:\Program Files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]
"LXCQCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.exe" [2005-11-07 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-01 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2004-08-10 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSjcxe.sys]
@="driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Kiearn\\My Documents\\Software\\Azureus\\Azureus.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"C:\\WINDOWS\\system32\\lxcqcoms.exe"=
"C:\\WINDOWS\\system32\\CNAC6RPK.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56823:TCP"= 56823:TCP:Pando P2P TCP Listening Port
"56823:UDP"= 56823:UDP:Pando P2P UDP Listening Port
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-20 152984]
R2 lxcq_device;lxcq_device;C:\WINDOWS\system32\lxcqcoms.exe [2006-12-05 537520]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 24911]
S0 ksbw;ksbw;C:\WINDOWS\system32\drivers\tmfgw.sys [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8557b3ab-0ba0-11dc-b520-0018de37fefb}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kiearn\Application Data\Mozilla\Firefox\Profiles\a9zc2nhs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.ekmpowershop.com/
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 20:40:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"
.
Completion time: 2008-09-21 20:41:48
ComboFix-quarantined-files.txt 2008-09-21 19:41:41
ComboFix2.txt 2008-09-20 20:30:41
Pre-Run: 50,742,050,816 bytes free
Post-Run: 50,729,553,920 bytes free
230 --- E O F --- 2008-09-21 00:49:32

Response Number 8

Name: jabuck
Date: September 21, 2008 at 13:02:54 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\system32\TDSSdnpn.dll
C:\WINDOWS\system32\drivers\TDSSjcxe.sys
C:\WINDOWS\system32\TDSSjjsm.dll
C:\WINDOWS\system32\TDSSslsm.dll
C:\WINDOWS\system32\TDSShpue.dll
C:\WINDOWS\system32\TDSSevri.dll

Driver::
TDSSjcxe
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSjcxe.sys]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Post a new Combofix log following the procedure in response #5.

Response Number 9

Name: kbf1981
Date: September 21, 2008 at 13:34:18 Pacific

Reply:

Here's the new ComboFix log after doing the above:

ComboFix 08-09-20.05 - Kiearn 2008-09-21 21:13:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1599 [GMT 1:00]
Running from: C:\Documents and Settings\Kiearn\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kiearn\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\system32\drivers\TDSSjcxe.sys
C:\WINDOWS\system32\TDSSdnpn.dll
C:\WINDOWS\system32\TDSSevri.dll
C:\WINDOWS\system32\TDSShpue.dll
C:\WINDOWS\system32\TDSSjjsm.dll
C:\WINDOWS\system32\TDSSslsm.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\TDSSjcxe.sys
C:\WINDOWS\system32\TDSSdnpn.dll
C:\WINDOWS\system32\TDSSevri.dll
C:\WINDOWS\system32\TDSShpue.dll
C:\WINDOWS\system32\TDSSjjsm.dll
C:\WINDOWS\system32\TDSSslsm.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.
2008-09-21 01:47 . 2008-09-21 01:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-21 01:45 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-09-21 01:40 . 2007-02-28 10:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-09-21 01:40 . 2007-02-28 10:15 2,017,280 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2008-09-21 00:26 . 2008-09-21 00:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-20 20:49 . 2008-04-14 01:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-09-20 20:48 . 2006-12-28 20:01 19,569 --a------ C:\WINDOWS\[u]0[/u]03440_.tmp
2008-09-20 20:44 . 2008-09-20 20:44 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Documents and Settings\Kiearn\Application Data\Malwarebytes
2008-09-20 19:54 . 2008-09-20 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 19:54 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-20 19:54 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 19:11 . 2008-09-21 11:18 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-18 19:23 . 2008-09-18 19:23 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-08-22 15:26 . 2007-02-07 08:19 921,600 --a------ C:\WINDOWS\system32\CNAP1NSK.DLL
2008-08-22 15:26 . 2007-04-01 16:00 204,800 --a------ C:\WINDOWS\system32\CNAC6EMU.DLL
2008-08-22 15:26 . 2007-04-01 16:00 102,453 --a------ C:\WINDOWS\system32\CNAC6SMK.DLL
2008-08-22 15:26 . 2007-04-02 02:41 63,168 --a------ C:\WINDOWS\system32\CNAC6RPK.exe
2008-08-22 15:26 . 2007-04-01 16:00 32,821 --a------ C:\WINDOWS\system32\CNAC6LMK.DLL
2008-08-22 15:26 . 2007-04-01 16:00 28,672 --a------ C:\WINDOWS\system32\CNAC6PTU.DLL
2008-08-22 15:25 . 2008-08-22 15:26 <DIR> d-------- C:\Program Files\Canon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 19:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-21 19:13 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\Skype
2008-09-20 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-20 19:44 --------- d-----w C:\Program Files\Java
2008-09-19 13:08 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\SmartShopper
2008-09-18 12:41 --------- d-----w C:\Program Files\Lx_cats
2008-08-16 15:56 --------- d-----w C:\Documents and Settings\Kiearn\Application Data\Azureus
2008-08-05 09:00 --------- d-----w C:\Program Files\DYMO Label
2008-08-04 21:05 --------- d-----w C:\Program Files\Pure Networks
2008-08-04 21:04 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-08-04 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-08-04 20:31 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-05-08 14:35 56,912 ----a-w C:\Documents and Settings\Kiearn\g2mdlhlpx.exe
2008-02-27 13:47 0 ----a-w C:\Documents and Settings\Kiearn\iexplore.exe
2007-11-02 22:47 0 ----a-w C:\Documents and Settings\Kiearn\helpctr.exe
2002-04-16 10:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\flfnlf.sys
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\rlfnlf.sys
1998-03-20 00:00 1,048 --sha-w C:\WINDOWS\system32\TMailRL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-20_21.30.22.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-20 20:25:27 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-21 19:08:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-20 20:25:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-21 19:08:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-21 18:07:22 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
+ 2008-09-21 18:07:23 78,924 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
+ 2004-08-10 11:00:00 11,136 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]013\DriverFiles\i386\sffdisk.sys
+ 2004-08-10 11:00:00 10,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]013\DriverFiles\i386\sffp_sd.sys
+ 2004-08-10 11:00:00 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]014\DriverFiles\i386\intelppm.sys
+ 2004-08-10 11:00:00 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]015\DriverFiles\i386\intelppm.sys
+ 2004-08-10 11:00:00 67,584 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]016\DriverFiles\i386\sdbus.sys
+ 2004-08-12 16:45:54 137,728 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]017\DriverFiles\hdaudbus.sys
- 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-08-10 19:46:18 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-10-16 15:10:58 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-08-10 19:46:18 26,488 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2008-09-21 20:17:18 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_204.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [2007-01-16 1335296]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 22880040]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-06-04 6210888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2005-02-28 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-09-20 140696]
"lxcqmon.exe"="C:\Program Files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]
"EzPrint"="C:\Program Files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]
"LXCQCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.exe" [2005-11-07 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-01 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2004-08-10 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Kiearn\\My Documents\\Software\\Azureus\\Azureus.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"C:\\WINDOWS\\system32\\lxcqcoms.exe"=
"C:\\WINDOWS\\system32\\CNAC6RPK.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56823:TCP"= 56823:TCP:Pando P2P TCP Listening Port
"56823:UDP"= 56823:UDP:Pando P2P UDP Listening Port
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-20 152984]
R2 lxcq_device;lxcq_device;C:\WINDOWS\system32\lxcqcoms.exe [2006-12-05 537520]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 24911]
S0 ksbw;ksbw;C:\WINDOWS\system32\drivers\tmfgw.sys [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8557b3ab-0ba0-11dc-b520-0018de37fefb}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 21:18:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\CNAC6RPK.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-21 21:28:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-21 20:28:03
ComboFix2.txt 2008-09-21 19:41:49
ComboFix3.txt 2008-09-20 20:30:41
Pre-Run: 50,710,163,456 bytes free
Post-Run: 50,695,798,784 bytes free
232 --- E O F --- 2008-09-21 00:49:32

Response Number 10

Name: jabuck
Date: September 21, 2008 at 14:00:37 Pacific

Reply:

Looks a lot better, need to check this one file.
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.
Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\system32\drivers\tmfgw.sys
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.

Response Number 11

Name: kbf1981
Date: September 21, 2008 at 14:17:55 Pacific

Reply:

I've done the above but the file doesn't appear to be on the computer.
I even double checked the files where all showing (not hidden) again, and still...nothing there.
After that I c&p'd the C: file location into firefox...and firefox said:
Firefox can't find the file at /C:/WINDOWS/system32/drivers/tmfgw.sys.
* Check the file name for capitalisation or other typing errors.
* Check to see if the file was moved, renamed or deleted.

What does this mean? Thanks for your help!

Response Number 12

Name: jabuck
Date: September 21, 2008 at 14:26:44 Pacific

Reply:

It shows up as a service on the Combofix log, maybe backweb from a camera/video software installation but I am not sure.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 13

Name: kbf1981
Date: September 22, 2008 at 05:28:47 Pacific

Reply:

Here is the Kaspersky log - it found a few things:
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 22, 2008 08:53:24
Records in database: 1249351
----------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 72278
Threat name: 7
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 02:54:16

File name / Threat name / Threats count
C:\Documents and Settings\Kiearn\My Documents\Software\sdsetup.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.dq 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0175390.sys Infected: Backdoor.Win32.Agent.roc 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSevri.dll.vir Infected: Backdoor.Win32.Agent.rfw 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\TDSShpue.dll.vir Infected: Backdoor.Win32.Agent.rfv 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\tdssl.dll.vir Infected: Backdoor.Win32.UltimateDefender.gen 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\tdsslog.dll.vir Infected: Backdoor.Win32.Agent.rfv 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\tdssmain.dll.vir Infected: Backdoor.Win32.Agent.rfw 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\tdssserf.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdssadw.dll.vir Infected: Rootkit.Win32.Clbd.kf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSdnpn.dll.vir Infected: Rootkit.Win32.Clbd.kf 1
The selected area was scanned.

Response Number 14

Name: jabuck
Date: September 22, 2008 at 14:47:30 Pacific

Reply:

This file:
C:\Documents and Settings\Kiearn\My Documents\Software\sdsetup.exe
Is part of Ultimate Troubleshooter...I suppose you are running UT.
Navigate to and delete the contents of this folder but not the folder itself:
C:\Program Files\Trend Micro\Internet Security\Quarantine
Empty the recycle bin.
Go to start> run> type in combofix /u (note the space after combofix) then press enter. This will uninstall combofix and its quarantine folder C:\Qoobox.
Your computer should be clean, how is it operating?

Response Number 15

Name: kbf1981
Date: September 22, 2008 at 15:18:11 Pacific

Reply:

It's running very fast and seems fine.
Did it look fine from the log?
Thanks for all the help, you've been a God-send.

Response Number 16

Name: jabuck
Date: September 22, 2008 at 16:08:58 Pacific

Reply:

Yes, glad we could help.

Sponsored Link

Ads by Google

AVG found a Trojan in a T...

Zipping with password

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Google Re-Direct Virus - solved?

Google re-direct virus

Summary

www.computing.net/answers/security/google-redirect-virus/27392.html

Google re-direct virus

Summary

www.computing.net/answers/security/google-redirect-virus/27394.html

Google re-direct problem

Summary

www.computing.net/answers/security/google-redirect-problem/27326.html

From the Geek Dictionary
parasite - A despicable creature that lives off the effort of others called hosts.

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
sound card

Vbs talking to batch

locate and isolate bad sectors on vista

spybot or windows defender

unable to open jpg files which are recovered

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE