yahoo search redirects

Dell / DIMENSION 4300S
December 28, 2008 at 18:08:00
Specs: Windows XP, pentium 4 512mb ram
I am experiencing redirects when I do a yahoo search. I already did all the steps recommended in the following post http://www.computing.net/answers/se... with no luck. Please help.


See More: yahoo search redirects

Report •


#1
December 28, 2008 at 18:20:09
First try this:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.

If that did not work go start > run type cmd and press enter or ok.
type ipconfig /flushdns (The space between g and / is needed)

Then press Enter, type Exit, press Enter again, Try to connect to the internet.

If that did not work try Safe Mode with Networking. Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select Safe Mode with Networking, then press "Enter".
Choose your usual account.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins int the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

For Hijack This if it will not run rename the Hijack This.exe file to somethingelse.exe and try installing it again.


Report •

#2
December 30, 2008 at 07:56:13
Hello and thank you for your reply,

I did the following:

1.I did not see TDSSserv.sys as you described. However, I did see "BeatTrojanHelperOne" and "msqpdxserv.sys" both of which had a yellow exclamation point on them. I disabled both. This did not work. Should I re-enable these.

2. I did the flushdns as you descibed. This seemed like it worked for a little while, but the redirects quickly started to happen again.

3. I ran malware bytes with the following log:

Malwarebytes' Anti-Malware 1.31
Database version: 1574
Windows 5.1.2600 Service Pack 3

2008-12-30 10:33:57 AM
mbam-log-2008-12-30 (10-33-57).txt

Scan type: Quick Scan
Objects scanned: 59792
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50 85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{228b52bf-d8f8-42ac-8628-5d1fe64f5205}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2c99dc04-ce95-4446-8227-7bf4facfe54a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2c99dc04-ce95-4446-8227-7bf4facfe54a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50 85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{228b52bf-d8f8-42ac-8628-5d1fe64f5205}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2c99dc04-ce95-4446-8227-7bf4facfe54a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2c99dc04-ce95-4446-8227-7bf4facfe54a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50 85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{228b52bf-d8f8-42ac-8628-5d1fe64f5205}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2c99dc04-ce95-4446-8227-7bf4facfe54a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2c99dc04-ce95-4446-8227-7bf4facfe54a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.50,85.255.112.154 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

4. I did a hijackthis scan with the following log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:51 AM, on 2008-12-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Katie McNulty\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yc...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrob...
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MoSo Anti-Malware Real-Time Monitor - Unknown owner - C:\Program Files\MoSo Anti-Malware\MsamSvc.exe (file missing)
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11225 bytes


Thanks for your help. I look forward to a follow up reply.


Report •

#3
December 30, 2008 at 16:05:24

No need to re-enable them.

Once you get SDFix downloaded go offline, turn off your antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

Related Solutions

#4
December 30, 2008 at 17:32:34

[b]SDFix: Version 1.240 [/b]
Run by Katie McNulty on 2008-12-30 at 08:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 20:23:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxmqltofxh.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\systemroot\system32\drivers\msqpdxmqltofxh.sys"
"msqpdxl"="\systemroot\system32\msqpdxosvdnrsr.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxmqltofxh.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\systemroot\system32\drivers\msqpdxmqltofxh.sys"
"msqpdxl"="\systemroot\system32\msqpdxosvdnrsr.dll"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:

Wed 29 Aug 2007 3,254 A..H. --- "C:\Program Files\SpiralFrog\BIT74.tmp"
Wed 29 Aug 2007 3,254 A..H. --- "C:\Program Files\SpiralFrog\BIT75.tmp"
Mon 3 Nov 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 29 Aug 2000 557,056 A..H. --- "C:\Program Files\Dell\Backup\DellBckp.exe"
Sat 20 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 15 Oct 2003 74,752 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL0595.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL0720.tmp"
Wed 15 Oct 2003 74,752 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL0735.tmp"
Wed 15 Oct 2003 114,688 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL0837.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL0892.tmp"
Wed 15 Oct 2003 180,736 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL1339.tmp"
Wed 15 Oct 2003 190,464 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL1362.tmp"
Wed 15 Oct 2003 73,728 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL1376.tmp"
Wed 15 Oct 2003 114,688 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL1436.tmp"
Wed 15 Oct 2003 74,240 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL1765.tmp"
Wed 15 Oct 2003 72,704 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL1888.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL2610.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL2921.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL3062.tmp"
Wed 15 Oct 2003 72,704 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL3175.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL3198.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL3721.tmp"
Wed 15 Oct 2003 89,088 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL3768.tmp"
Wed 15 Oct 2003 114,176 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\My Documents\~WRL4003.tmp"
Wed 22 Oct 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 20 Nov 2004 400 A.SH. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sat 20 Nov 2004 48 A.SH. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Wed 15 Oct 2003 74,752 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL0595.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL0720.tmp"
Wed 15 Oct 2003 74,752 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL0735.tmp"
Wed 15 Oct 2003 114,688 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL0837.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL0892.tmp"
Wed 15 Oct 2003 180,736 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL1339.tmp"
Wed 15 Oct 2003 190,464 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL1362.tmp"
Wed 15 Oct 2003 73,728 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL1376.tmp"
Wed 15 Oct 2003 114,688 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL1436.tmp"
Wed 15 Oct 2003 74,240 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL1765.tmp"
Wed 15 Oct 2003 72,704 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL1888.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL2610.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL2921.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL3062.tmp"
Wed 15 Oct 2003 72,704 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL3175.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL3198.tmp"
Wed 15 Oct 2003 73,216 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL3721.tmp"
Wed 15 Oct 2003 89,088 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL3768.tmp"
Wed 15 Oct 2003 114,176 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\~WRL4003.tmp"
Thu 29 Jan 2004 23,552 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\LHA\~WRL0123.tmp"
Thu 29 Jan 2004 22,528 A..H. --- "C:\Documents and Settings\All Users\Documents\Old Hard Drive\Documents and Settings\Katie\My Documents\LHA\~WRL0283.tmp"

[b]Finished![/b]


Report •

#5
December 30, 2008 at 17:51:34
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Drivers to delete:
msqpdxserv

Files to delete:
C:\Windows\system32\drivers\msqpdxmqltofxh.sys
C:\Windows\system32\msqpdxosvdnrsr.dll
C:\Windows\system32\drivers\msqpdxserv.sys
C:\Windows\system32\msqpdxserv.sys

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Report •

#6
December 30, 2008 at 18:25:55
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\drivers\msqpdxmqltofxh.sys" not found!
Deletion of file "C:\Windows\system32\drivers\msqpdxmqltofxh.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\msqpdxosvdnrsr.dll" not found!
Deletion of file "C:\Windows\system32\msqpdxosvdnrsr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\drivers\msqpdxserv.sys" not found!
Deletion of file "C:\Windows\system32\drivers\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\msqpdxserv.sys" not found!
Deletion of file "C:\Windows\system32\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Report •

#7
December 30, 2008 at 18:54:34

Looks better. Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab

O23 - Service: MoSo Anti-Malware Real-Time Monitor - Unknown owner - C:\Program Files\MoSo Anti-Malware\MsamSvc.exe (file missing)

Exit Hijack This.

Go to start> run type in the following line one at the time and press ok after each entry:


sc stop MoSo Anti-Malware Real-Time Monitor
Sc delete MoSo Anti-Malware Real-Time Monitor

Exit Run Command.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Nortons antivirus, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#8
December 31, 2008 at 06:11:28
ComboFix 08-12-30.02 - Katie McNulty 2008-12-31 9:04:00.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.116 [GMT -5:00]
Running from: c:\documents and settings\Katie McNulty\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-30 19:59 . 2008-12-30 20:26 <DIR> d-------- C:\SDFix
2008-12-30 10:21 . 2008-12-30 10:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 10:21 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 10:21 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 09:12 . 2008-12-30 09:12 <DIR> d-------- c:\documents and settings\Katie McNulty\Application Data\Runaware
2008-12-30 09:12 . 2008-12-30 09:12 <DIR> d-------- c:\documents and settings\Katie McNulty\Application Data\ICAClient
2008-12-28 21:13 . 2008-12-31 08:59 <DIR> d-------- c:\documents and settings\Katie McNulty\Application Data\skypePM
2008-12-28 21:13 . 2008-12-28 21:13 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-12-28 21:11 . 2008-12-28 21:11 <DIR> d-------- c:\program files\Skype
2008-12-28 21:11 . 2008-12-28 21:11 <DIR> d-------- c:\program files\Common Files\Skype
2008-12-28 21:11 . 2008-12-31 09:07 <DIR> d-------- c:\documents and settings\Katie McNulty\Application Data\Skype
2008-12-28 21:10 . 2008-12-28 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-12-28 20:45 . 2008-07-26 10:26 4,658,584 -ra------ c:\windows\system32\drivers\lvuvc.sys
2008-12-28 20:42 . 2008-12-28 20:42 127,034 -r------- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-12-28 20:40 . 2008-12-28 20:45 <DIR> d-------- c:\program files\Common Files\LogiShrd
2008-12-28 20:40 . 2008-12-28 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-12-28 20:40 . 2008-12-30 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logishrd
2008-12-28 20:38 . 2008-12-28 20:38 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-28 20:19 . 2008-12-31 09:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 20:18 . 2008-12-31 08:47 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-28 20:12 . 2008-12-28 20:12 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-28 17:23 . 2008-12-28 17:23 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-28 17:20 . 2008-12-28 17:20 <DIR> d-------- c:\windows\ERUNT
2008-12-28 16:56 . 2008-12-28 16:56 <DIR> d-------- c:\program files\Analog Devices
2008-12-25 08:39 . 2008-12-28 16:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\MumboJumbo
2008-12-07 12:42 . 2008-12-28 16:50 <DIR> d-------- c:\program files\MoSo Anti-Malware
2008-11-27 11:44 . 2008-11-27 11:45 <DIR> d-------- c:\program files\iTunes
2008-11-27 11:44 . 2008-11-27 11:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 21:08 . 2008-11-27 12:31 <DIR> d-------- c:\program files\QuickTime
2008-11-25 21:07 . 2008-11-25 21:07 <DIR> d-------- c:\program files\Xvid
2008-11-25 20:34 . 2008-11-25 20:34 <DIR> d-------- c:\documents and settings\Katie McNulty\Application Data\Malwarebytes
2008-11-25 20:34 . 2008-11-25 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 20:04 . 2008-11-25 21:08 <DIR> d-------- c:\program files\iTunes(2)
2008-11-23 20:01 . 2008-11-25 21:08 <DIR> d-------- c:\program files\QuickTime(2)
2008-11-15 08:18 . 2008-11-15 08:18 800 --a------ c:\windows\hpinfo.lnk
2008-11-15 08:16 . 2008-11-15 08:16 376 --a------ c:\windows\mozregistry.dat
2008-11-15 08:15 . 2008-11-15 08:18 <DIR> d-------- c:\program files\hp deskjet 960c series
2008-11-15 08:15 . 2008-11-15 08:16 <DIR> d-------- c:\program files\Hewlett-Packard
2008-11-11 20:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 20:10 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 19:19 . 2008-04-13 14:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-04 19:19 . 2008-04-13 14:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-04 19:14 . 2008-11-04 19:14 <DIR> d-------- c:\documents and settings\Katie McNulty\Application Data\InstallShield
2008-11-04 19:13 . 2008-11-04 19:13 <DIR> d-------- c:\program files\Common Files\Remote Control USB Driver
2008-11-04 19:11 . 2008-11-04 19:16 <DIR> d-------- c:\documents and settings\Katie McNulty\Logitech
2008-11-04 19:03 . 2008-11-04 19:13 <DIR> d-------- c:\program files\Common Files\Remote Control Software Shared
2008-11-04 19:02 . 2008-11-04 19:02 118,784 -r------- c:\windows\bwUnin-7.2.0.157-8876480SL.exe
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-03 20:53 . 2008-11-03 20:53 <DIR> d-------- c:\program files\Netflix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 13:59 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-31 13:58 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-12-31 13:58 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-12-30 13:50 --------- d-----w c:\program files\Common Files\Logitech
2008-12-29 01:40 --------- d-----w c:\program files\Logitech
2008-12-29 01:38 --------- d-----w c:\program files\Java
2008-12-28 21:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 21:54 --------- d-----w c:\program files\RealArcade
2008-12-28 21:53 --------- d-----w c:\program files\Common Files\Crystal Decisions
2008-12-28 21:51 --------- d-----w c:\program files\Common Files\Pervasive Software Shared
2008-12-28 21:50 --------- d-----w c:\program files\MySpace
2008-12-16 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-27 16:44 --------- d-----w c:\program files\iPod
2008-11-27 16:44 --------- d-----w c:\program files\Common Files\Apple
2008-11-26 19:16 --------- d-----w c:\program files\SpiralFrog
2008-11-26 01:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spiralfrog
2008-11-22 02:23 --------- d-----w c:\documents and settings\Katie McNulty\Application Data\BitTorrent
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-11-06 00:26 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-11-06 00:26 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_17.46.16.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 22:20:57 3,284,992 ----a-w c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\ntuser.dat
+ 2008-12-31 01:09:38 3,915,776 ----a-w c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\ntuser.dat
- 2008-12-28 22:20:57 245,760 ----a-w c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-12-31 01:09:38 307,200 ----a-w c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-10-17 07:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
+ 2008-12-29 01:40:41 15,086 ----a-r c:\windows\Installer\{3AF8FCCD-F51A-4014-9002-F195E1CBC876}\ARPPRODUCTICON.exe
+ 2008-12-29 01:40:41 15,086 ----a-r c:\windows\Installer\{3AF8FCCD-F51A-4014-9002-F195E1CBC876}\DesktopShortcut_10110FE91EE84A3DADFD1294F86BE5FC.exe
+ 2008-12-29 01:40:41 53,248 ----a-r c:\windows\Installer\{3AF8FCCD-F51A-4014-9002-F195E1CBC876}\ProgramGroupShortcut_EFA2BBEBCF93493B904B1B970B8DFAB6.exe
+ 2008-12-30 13:50:33 57,344 ----a-r c:\windows\Installer\{53735ECE-E461-4FD0-B742-23A352436D3A}\ARPPRODUCTICON.exe
+ 2008-04-13 19:46:24 17,024 -c--a-w c:\windows\system32\dllcache\ccdecode.sys
- 2008-10-17 07:08:40 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-04-13 19:39:50 5,504 -c--a-w c:\windows\system32\dllcache\mstee.sys
+ 2008-04-13 19:46:26 85,248 -c--a-w c:\windows\system32\dllcache\nabtsfec.sys
+ 2008-04-13 19:46:22 10,880 -c--a-w c:\windows\system32\dllcache\ndisip.sys
+ 2008-04-13 19:46:24 11,136 -c--a-w c:\windows\system32\dllcache\slip.sys
+ 2008-04-13 19:46:22 15,232 -c--a-w c:\windows\system32\dllcache\streamip.sys
+ 2008-04-13 19:45:12 60,032 -c--a-w c:\windows\system32\dllcache\usbaudio.sys
+ 2008-04-13 19:45:40 32,128 -c--a-w c:\windows\system32\dllcache\usbccgp.sys
+ 2008-04-14 01:12:08 53,760 -c--a-w c:\windows\system32\dllcache\vfwwdm32.dll
+ 2008-04-13 19:46:24 19,200 -c--a-w c:\windows\system32\dllcache\wstcodec.sys
+ 2008-04-13 19:46:24 17,024 ----a-w c:\windows\system32\drivers\CCDECODE.sys
+ 2008-07-26 13:25:02 25,624 ----a-w c:\windows\system32\drivers\LVPr2Mon.sys
+ 2008-07-26 15:25:48 627,864 ----a-r c:\windows\system32\drivers\lvrs.sys
+ 2008-07-26 15:26:22 41,752 ----a-r c:\windows\system32\drivers\LVUSBSta.sys
+ 2008-07-26 15:26:56 23,832 ----a-r c:\windows\system32\drivers\lvuvcflt.sys
+ 2008-04-13 19:39:50 5,504 ----a-w c:\windows\system32\drivers\MSTEE.sys
+ 2008-04-13 19:46:26 85,248 ----a-w c:\windows\system32\drivers\NABTSFEC.sys
+ 2008-04-13 19:46:22 10,880 ----a-w c:\windows\system32\drivers\NdisIP.sys
+ 2008-04-13 19:46:24 11,136 ----a-w c:\windows\system32\drivers\SLIP.sys
+ 2008-04-13 19:46:22 15,232 ----a-w c:\windows\system32\drivers\StreamIP.sys
+ 2008-04-13 19:45:12 60,032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
+ 2008-04-13 19:45:40 32,128 ----a-w c:\windows\system32\drivers\usbccgp.sys
+ 2008-04-13 19:46:24 19,200 ----a-w c:\windows\system32\drivers\WSTCODEC.SYS
+ 2008-02-01 09:43:02 489,624 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\LV561AV.sys
+ 2008-02-01 09:43:26 416,280 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\lvcodec2.dll
+ 2008-02-01 09:43:36 195,096 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\lvcoinst.dll
+ 2008-02-01 09:46:16 490,008 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\LVUI2.dll
+ 2008-02-01 09:46:28 465,432 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\LVUI2RC.dll
+ 2008-02-01 09:46:40 41,752 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\LVUSBSta.sys
+ 2008-02-01 09:47:24 236,056 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\lvWIAext.dll
+ 2008-02-01 09:49:52 439,568 -c--a-r c:\windows\system32\DRVSTORE\lvELCHv_3AAC34B8077234D1546F2D72FEA219DE3BAF5FCE\WUApp32.exe
+ 2008-07-26 15:22:22 13,848 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2s_AAF0D42957859C79796117C24EE40D0758F83C77\lv302af.sys
+ 2008-07-26 15:23:30 195,096 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2s_AAF0D42957859C79796117C24EE40D0758F83C77\lvcoinst.dll
+ 2008-07-26 15:25:48 627,864 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2s_AAF0D42957859C79796117C24EE40D0758F83C77\lvrs.sys
+ 2008-07-26 15:26:22 41,752 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2s_AAF0D42957859C79796117C24EE40D0758F83C77\LVUSBSta.sys
+ 2008-07-26 15:29:58 439,568 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2s_AAF0D42957859C79796117C24EE40D0758F83C77\WUApp32.exe
+ 2008-07-26 15:22:34 2,570,520 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\LV302V32.SYS
+ 2008-07-26 15:23:20 416,280 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\lvcodec2.dll
+ 2008-07-26 15:23:30 195,096 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\lvcoinst.dll
+ 2008-07-26 15:26:10 490,008 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\LVUI2.dll
+ 2008-07-26 15:26:22 465,432 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\LVUI2RC.dll
+ 2008-07-26 15:26:22 41,752 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\LVUSBSta.sys
+ 2008-07-26 15:27:20 236,056 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\lvWIAext.dll
+ 2008-07-26 15:29:58 439,568 -c--a-r c:\windows\system32\DRVSTORE\lvPEPI2v_9B63DE375D38D105257209AE91A63E0509B924B9\WUApp32.exe
+ 2008-07-26 15:26:56 23,832 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5c_1BFC52D9685745C065979BCEBCC76EF496BB7037\lvuvcflt.sys
+ 2008-07-26 15:23:30 195,096 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5s_57FBF2DB92AA25DA75C5E6E7205A81E29D58FC02\lvcoinst.dll
+ 2008-07-26 15:24:50 95,384 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5s_57FBF2DB92AA25DA75C5E6E7205A81E29D58FC02\lvpopflt.sys
+ 2008-07-26 15:25:48 627,864 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5s_57FBF2DB92AA25DA75C5E6E7205A81E29D58FC02\lvrs.sys
+ 2008-07-26 15:26:00 66,456 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5s_57FBF2DB92AA25DA75C5E6E7205A81E29D58FC02\lvselsus.sys
+ 2008-07-26 15:26:22 41,752 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5s_57FBF2DB92AA25DA75C5E6E7205A81E29D58FC02\LVUSBSta.sys
+ 2008-07-26 15:29:58 439,568 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5s_57FBF2DB92AA25DA75C5E6E7205A81E29D58FC02\WUApp32.exe
+ 2008-07-26 15:23:20 416,280 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\lvcodec2.dll
+ 2008-07-26 15:23:30 195,096 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\lvcoinst.dll
+ 2008-07-26 15:26:10 490,008 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\LVUI2.dll
+ 2008-07-26 15:26:22 465,432 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\LVUI2RC.dll
+ 2008-07-26 15:26:22 41,752 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\LVUSBSta.sys
+ 2008-07-26 15:26:44 4,658,584 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\lvuvc.sys
+ 2008-07-26 15:27:20 236,056 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\lvWIAext.dll
+ 2008-07-26 15:29:58 439,568 -c--a-r c:\windows\system32\DRVSTORE\lvPRO5v_84763DE157980C4888FEDFF53A1B7C541DFDE85F\WUApp32.exe
- 2008-02-22 05:23:35 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-29 01:38:24 144,792 ----a-w c:\windows\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-29 01:38:24 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-29 01:38:24 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2007-07-27 20:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
+ 2008-07-26 15:23:30 195,096 ----a-r c:\windows\system32\lvci11801048.dll
+ 2008-07-26 15:23:20 416,280 ----a-r c:\windows\system32\lvcodec2.dll
+ 2008-07-26 15:26:10 490,008 ----a-r c:\windows\system32\LVUI2.dll
+ 2008-07-26 15:26:22 465,432 ----a-r c:\windows\system32\LVUI2RC.dll
- 2008-10-17 07:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2007-08-02 23:11:28 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2007-08-06 18:17:40 19,456 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
- 2008-12-28 22:42:37 61,158 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-31 14:03:16 61,158 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-28 22:42:37 401,400 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-31 14:03:16 401,400 ----a-w c:\windows\system32\perfh009.dat
+ 2004-12-07 16:11:34 258,352 ----a-w c:\windows\system32\unicows.dll
+ 2008-04-14 01:12:08 53,760 ----a-w c:\windows\system32\vfwwdm32.dll
+ 2007-10-28 23:59:50 323,624 ----a-w c:\windows\system32\wiaaut.dll
+ 2008-07-26 13:25:24 109,080 ----a-w c:\windows\temp\logishrd\LVPrcInj02.dll
+ 2008-12-31 13:59:24 16,384 ----atw c:\windows\temp\Perflib_Perfdata_468.dat
+ 2008-07-26 15:27:20 236,056 ----a-r c:\windows\twain_32\QuickCam\lvWIAext.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-12-28 66864]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 196608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

c:\documents and settings\Katie McNulty\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-12-28 66864]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-09-26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{142483DF-44BE-4ADE-875F-6B05CCBCE17C}"= "c:\program files\MoSo Anti-Malware\BtHelpFive.dll" [2008-03-28 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine

S2 BeatTrojanHelperOne;BeatTrojanHelperOne;\??\c:\program files\MoSo Anti-Malware\BeatTrojanHelperOne.sys []
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2008-06-30 13864]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys [2005-11-15 281856]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192]
S4 MoSo Anti-Malware Real-Time Monitor;MoSo Anti-Malware Real-Time Monitor;c:\program files\MoSo Anti-Malware\MsamSvc.exe []
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Katie McNulty\Application Data\Mozilla\Firefox\Profiles\l1cncpek.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 09:07:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-31 9:08:47
ComboFix-quarantined-files.txt 2008-12-31 14:08:33
ComboFix2.txt 2008-12-28 22:46:50

Pre-Run: 111,941,181,440 bytes free
Post-Run: 112,028,069,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

310 --- E O F --- 2008-12-31 01:02:42


Report •

#9
December 31, 2008 at 15:01:32
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Folder, File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
Folder::
c:\program files\MoSo Anti-Malware

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{142483DF-44BE-4ADE-875F-6B05CCBCE17C}"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Go to start> run> copy/paste the following lines one at the time and press enter after typing in each line:


sc stop BeatTrojanHelperOne
sc delete BeatTrojanHelperOne
sc stop MoSo Anti-Malware Real-Time Monitor
sc delete MoSo Anti-Malware Real-Time Monitor

Exit the run command.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#10
January 2, 2009 at 11:55:06
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 11:07:11
Records in database: 1547639
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 54644
Threat name: 4
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:51:03


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09EC0001.VBN Infected: Packed.Win32.Krap.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B900001.VBN Infected: Packed.Win32.Krap.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D280001.VBN Infected: Trojan.Win32.Small.yon 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D2C0000.VBN Infected: Trojan-Downloader.Win32.Agent.akwa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D600000.VBN Infected: Trojan.Win32.Agent.aneo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D600001.VBN Infected: Trojan.Win32.Agent.aneo 1

The selected area was scanned.


Report •

#11
January 2, 2009 at 20:40:37
Are you still being redirected?

Report •

#12
January 3, 2009 at 06:15:33
It doesn't appear so. Thank you so much for your help. What is the best way to prevent this from happening again?

Report •

#13
January 3, 2009 at 11:07:40
Make sure you have the newest version of java which is version 6 update 11. Go to start> control panel> java> about. If its an older version click the update tab> update now. Then go to start control panel> add/remove programs and uninstall all the older versions.

Navigate to and delete this folder:

C:\SDFix

Empty the recycle bin.

Delete Avenger from your desktop.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •


Ask Question