# Google Search Redirect virus



## zane_is_zebow (Mar 19, 2011)

I'm pretty new to this tech stuff, but I have a hijack log already, but the problem exists. Everytime I search on google (or any search site) and click a result, i'm redirected to a random website with either ads or a search of something similar that I searched for in Google. I've run spysweeper, trendmicro house call, superantispyware, and malwarebytes in both regular and safe mode, but the problem persists. Any help would be VERY appreciated.


----------



## zane_is_zebow (Mar 19, 2011)

Here's the hijack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:54:52 AM, on 3/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r215959\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://edugen.wiley.com/edugen/secure/index.uni
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
O4 - HKLM\..\Run: [SysTrayApp] "C:\Program Files\IDT\WDM\sttray.exe"
O4 - HKLM\..\Run: [AESTFltr] "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [test] "C:\Documents and Settings\Zane\Application Data\sys\test.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [YMPXRXjVhBlnS.exe] "C:\Documents and Settings\All Users\Application Data\YMPXRXjVhBlnS.exe"
O4 - HKCU\..\Run: [fLNmvr3JE] "C:\Documents and Settings\All Users\Application Data\fLNmvr3JE.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [rnckdyxk] "C:\DOCUME~1\Zane\LOCALS~1\Temp\ybdbptecq\ydqcgmijfdi.exe"
O4 - HKCU\..\Run: [dfgnejhb] "C:\DOCUME~1\Zane\LOCALS~1\Temp\roobptrcf\ychhevpjfdi.exe"
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250644526406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250652254328
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r215959\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 15634 bytes

Also, those iexplore.exe are processes that keep running in the background. They are not popups, and are not using much CPU, but they keep multiplying. I don't know if this is another virus, or if it is related to the redirect, but any help with that would be great too...


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​* Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.  *

Download ComboFix from *Here* or * Here*to your Desktop.
*As you download it rename it to username123.exe*

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## zane_is_zebow (Mar 19, 2011)

Just searched on google with NO problem. Thank you so much. The iexplore.exe seems to have disappeared as well. This was perfect thank you again!!!

You asked for the log anyway, so here it is:

ComboFix 11-03-18.05 - Zane 03/19/2011 15:15:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3546.2938 [GMT -4:00]
Running from: c:\documents and settings\Zane\Desktop\username123.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Trend Micro Internet Security Pro *Disabled/Outdated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Zane\Application Data\[mgj8435VX.exe
c:\documents and settings\Zane\Application Data\[unc9944[U.exe
c:\documents and settings\Zane\Application Data\arsi1023AR.exe
c:\documents and settings\Zane\Application Data\bqww1220BQ.exe
c:\documents and settings\Zane\Application Data\bxfg1260BX.exe
c:\documents and settings\Zane\Application Data\bzrg1475BZ.exe
c:\documents and settings\Zane\Application Data\cbfg1812CB.exe
c:\documents and settings\Zane\Application Data\ccsi1597CC.exe
c:\documents and settings\Zane\Application Data\cjwn8006UT.exe
c:\documents and settings\Zane\Application Data\ckku1536CK.exe
c:\documents and settings\Zane\Application Data\cmzt1526CM.exe
c:\documents and settings\Zane\Application Data\csnb1524CS.exe
c:\documents and settings\Zane\Application Data\ctkb1760CT.exe
c:\documents and settings\Zane\Application Data\cygo1574CY.exe
c:\documents and settings\Zane\Application Data\cz[v1521CZ.exe
c:\documents and settings\Zane\Application Data\dfuu2124DF.exe
c:\documents and settings\Zane\Application Data\dhbv1875DH.exe
c:\documents and settings\Zane\Application Data\dudp1947DU.exe
c:\documents and settings\Zane\Application Data\dxtw2019DX.exe
c:\documents and settings\Zane\Application Data\e[ym9865[K.exe
c:\documents and settings\Zane\Application Data\egag2526EG.exe
c:\documents and settings\Zane\Application Data\eoab8266VY.exe
c:\documents and settings\Zane\Application Data\fgsb5940OY.exe
c:\documents and settings\Zane\Application Data\fozg2684FO.exe
c:\documents and settings\Zane\Application Data\gjui3035GJ.exe
c:\documents and settings\Zane\Application Data\gmjj6134PE.exe
c:\documents and settings\Zane\Application Data\hkiy3253HK.exe
c:\documents and settings\Zane\Application Data\hpie5223MR.exe
c:\documents and settings\Zane\Application Data\htqk3293HT.exe
c:\documents and settings\Zane\Application Data\iwod3879IW.exe
c:\documents and settings\Zane\Application Data\jfrz5945OI.exe
c:\documents and settings\Zane\Application Data\jqp[4099JQ.exe
c:\documents and settings\Zane\Application Data\jrvf7380SJ.exe
c:\documents and settings\Zane\Application Data\juns2754FE.exe
c:\documents and settings\Zane\Application Data\kfp[4536KF.exe
c:\documents and settings\Zane\Application Data\krzk6243PT.exe
c:\documents and settings\Zane\Application Data\ksjw6125PU.exe
c:\documents and settings\Zane\Application Data\kxop4321KX.exe
c:\documents and settings\Zane\Application Data\lbem8092UT.exe
c:\documents and settings\Zane\Application Data\lhru4861LH.exe
c:\documents and settings\Zane\Application Data\liop4895LI.exe
c:\documents and settings\Zane\Application Data\lsyp4909LS.exe
c:\documents and settings\Zane\Application Data\lyqf4792LY.exe
c:\documents and settings\Zane\Application Data\mlpm4989ML.exe
c:\documents and settings\Zane\Application Data\mqrv5143MQ.exe
c:\documents and settings\Zane\Application Data\ncip1368BW.exe
c:\documents and settings\Zane\Application Data\niyc4132JT.exe
c:\documents and settings\Zane\Application Data\nvsu5880OJ.exe
c:\documents and settings\Zane\Application Data\nxoy5562NX.exe
c:\documents and settings\Zane\Application Data\nzny5387NZ.exe
c:\documents and settings\Zane\Application Data\o[e[5875O[.exe
c:\documents and settings\Zane\Application Data\oabl5678OA.exe
c:\documents and settings\Zane\Application Data\owvo5734OW.exe
c:\documents and settings\Zane\Application Data\paak6183PA.exe
c:\documents and settings\Zane\Application Data\pdsf6303PD.exe
c:\documents and settings\Zane\Application Data\pfep7964UI.exe
c:\documents and settings\Zane\Application Data\pftw6306PF.exe
c:\documents and settings\Zane\Application Data\pmaq3802IW.exe
c:\documents and settings\Zane\Application Data\pmaq6343PM.exe
c:\documents and settings\Zane\Application Data\ppbi6234PP.exe
c:\documents and settings\Zane\Application Data\qexl6503QE.exe
c:\documents and settings\Zane\Application Data\qoil5156MY.exe
c:\documents and settings\Zane\Application Data\qolc6594QO.exe
c:\documents and settings\Zane\Application Data\quho6408QU.exe
c:\documents and settings\Zane\Application Data\qzpg6676QZ.exe
c:\documents and settings\Zane\Application Data\rerg6235PR.exe
c:\documents and settings\Zane\Application Data\rrji8681WU.exe
c:\documents and settings\Zane\Application Data\sssl7091SS.exe
c:\documents and settings\Zane\Application Data\swoz7363SW.exe
c:\documents and settings\Zane\Application Data\sys
c:\documents and settings\Zane\Application Data\sys\mswinsck.ocx
c:\documents and settings\Zane\Application Data\tegi7421TE.exe
c:\documents and settings\Zane\Application Data\thsf7502TH.exe
c:\documents and settings\Zane\Application Data\trhb4514KB.exe
c:\documents and settings\Zane\Application Data\unnm7162SA.exe
c:\documents and settings\Zane\Application Data\upup2213EH.exe
c:\documents and settings\Zane\Application Data\uyib7983UY.exe
c:\documents and settings\Zane\Application Data\vowr8132VO.exe
c:\documents and settings\Zane\Application Data\wffo2901FX.exe
c:\documents and settings\Zane\Application Data\wfic8757WF.exe
c:\documents and settings\Zane\Application Data\wftt8448WF.exe
c:\documents and settings\Zane\Application Data\wgb[5933OQ.exe
c:\documents and settings\Zane\Application Data\wpep8582WP.exe
c:\documents and settings\Zane\Application Data\xgfx8791XG.exe
c:\documents and settings\Zane\Application Data\xikj3312HB.exe
c:\documents and settings\Zane\Application Data\xmfn9124XM.exe
c:\documents and settings\Zane\Application Data\xvba1817CX.exe
c:\documents and settings\Zane\Application Data\yhny9187YH.exe
c:\documents and settings\Zane\Application Data\yory9202YO.exe
c:\documents and settings\Zane\Application Data\yypm7962UI.exe
c:\documents and settings\Zane\Application Data\zafe9589ZA.exe
c:\documents and settings\Zane\Application Data\zbur9779ZB.exe
c:\documents and settings\Zane\Application Data\zcrb9740ZC.exe
c:\documents and settings\Zane\Application Data\zdet9800ZD.exe
c:\documents and settings\Zane\Application Data\zoup3710IG.exe
c:\documents and settings\Zane\Application Data\zroe9503ZR.exe
c:\documents and settings\Zane\Recent\Thumbs.db
c:\documents and settings\Zane\Start Menu\Programs\Memory Optimizer
c:\documents and settings\Zane\Start Menu\Programs\Memory Optimizer\Memory Optimizer.lnk
c:\documents and settings\Zane\Start Menu\Programs\Memory Optimizer\Uninstall Memory Optimizer.lnk
c:\windows\system32\service
c:\windows\system32\service\02032010_TIS17_SfFniAU.log
c:\windows\system32\service\06102009_TIS17_SfFniAU.log
c:\windows\system32\service\09022010_TIS17_SfFniAU.log
c:\windows\system32\service\09092009_TIS17_SfFniAU.log
c:\windows\system32\service\10032010_TIS17_SfFniAU.log
c:\windows\system32\service\10092009_TIS17_SfFniAU.log
c:\windows\system32\service\11082010_TIS17_SfFniAU.log
c:\windows\system32\service\13012010_TIS17_SfFniAU.log
c:\windows\system32\service\16092009_TIS17_SfFniAU.log
c:\windows\system32\service\16102009_TIS17_SfFniAU.log
c:\windows\system32\service\18012011_TIS17_SfFniAU.log
c:\windows\system32\service\18032011_TIS17_SfFniAU.log
c:\windows\system32\service\21112009_TIS17_SfFniAU.log
c:\windows\system32\service\23012011_TIS17_SfFniAU.log
c:\windows\system32\service\23112009_TIS17_SfFniAU.log
c:\windows\system32\service\24122010_TIS17_SfFniAU.log
c:\windows\system32\service\28012010_TIS17_SfFniAU.log
c:\windows\system32\service\28032010_TIS17_SfFniAU.log
.
----- File Replicators -----
.
c:\documents and settings\Zane\Application Data\[mgj8435VX.exe
c:\documents and settings\Zane\Application Data\[unc9944[U.exe
c:\documents and settings\Zane\Application Data\arsi1023AR.exe
c:\documents and settings\Zane\Application Data\bqww1220BQ.exe
c:\documents and settings\Zane\Application Data\bxfg1260BX.exe
c:\documents and settings\Zane\Application Data\bzrg1475BZ.exe
c:\documents and settings\Zane\Application Data\cbfg1812CB.exe
c:\documents and settings\Zane\Application Data\ccsi1597CC.exe
c:\documents and settings\Zane\Application Data\cjwn8006UT.exe
c:\documents and settings\Zane\Application Data\ckku1536CK.exe
c:\documents and settings\Zane\Application Data\cmzt1526CM.exe
c:\documents and settings\Zane\Application Data\csnb1524CS.exe
c:\documents and settings\Zane\Application Data\ctkb1760CT.exe
c:\documents and settings\Zane\Application Data\cygo1574CY.exe
c:\documents and settings\Zane\Application Data\cz[v1521CZ.exe
c:\documents and settings\Zane\Application Data\dfuu2124DF.exe
c:\documents and settings\Zane\Application Data\dhbv1875DH.exe
c:\documents and settings\Zane\Application Data\dudp1947DU.exe
c:\documents and settings\Zane\Application Data\dxtw2019DX.exe
c:\documents and settings\Zane\Application Data\e[ym9865[K.exe
c:\documents and settings\Zane\Application Data\egag2526EG.exe
c:\documents and settings\Zane\Application Data\eoab8266VY.exe
c:\documents and settings\Zane\Application Data\fgsb5940OY.exe
c:\documents and settings\Zane\Application Data\fozg2684FO.exe
c:\documents and settings\Zane\Application Data\gjui3035GJ.exe
c:\documents and settings\Zane\Application Data\gmjj6134PE.exe
c:\documents and settings\Zane\Application Data\hkiy3253HK.exe
c:\documents and settings\Zane\Application Data\hpie5223MR.exe
c:\documents and settings\Zane\Application Data\htqk3293HT.exe
c:\documents and settings\Zane\Application Data\iwod3879IW.exe
c:\documents and settings\Zane\Application Data\jfrz5945OI.exe
c:\documents and settings\Zane\Application Data\jqp[4099JQ.exe
c:\documents and settings\Zane\Application Data\jrvf7380SJ.exe
c:\documents and settings\Zane\Application Data\juns2754FE.exe
c:\documents and settings\Zane\Application Data\kfp[4536KF.exe
c:\documents and settings\Zane\Application Data\krzk6243PT.exe
c:\documents and settings\Zane\Application Data\ksjw6125PU.exe
c:\documents and settings\Zane\Application Data\kxop4321KX.exe
c:\documents and settings\Zane\Application Data\lbem8092UT.exe
c:\documents and settings\Zane\Application Data\lhru4861LH.exe
c:\documents and settings\Zane\Application Data\liop4895LI.exe
c:\documents and settings\Zane\Application Data\lsyp4909LS.exe
c:\documents and settings\Zane\Application Data\lyqf4792LY.exe
c:\documents and settings\Zane\Application Data\mlpm4989ML.exe
c:\documents and settings\Zane\Application Data\mqrv5143MQ.exe
c:\documents and settings\Zane\Application Data\ncip1368BW.exe
c:\documents and settings\Zane\Application Data\niyc4132JT.exe
c:\documents and settings\Zane\Application Data\nvsu5880OJ.exe
c:\documents and settings\Zane\Application Data\nxoy5562NX.exe
c:\documents and settings\Zane\Application Data\nzny5387NZ.exe
c:\documents and settings\Zane\Application Data\o[e[5875O[.exe
c:\documents and settings\Zane\Application Data\oabl5678OA.exe
c:\documents and settings\Zane\Application Data\owvo5734OW.exe
c:\documents and settings\Zane\Application Data\paak6183PA.exe
c:\documents and settings\Zane\Application Data\pfep7964UI.exe
c:\documents and settings\Zane\Application Data\pftw6306PF.exe
c:\documents and settings\Zane\Application Data\pmaq3802IW.exe
c:\documents and settings\Zane\Application Data\pmaq6343PM.exe
c:\documents and settings\Zane\Application Data\ppbi6234PP.exe
c:\documents and settings\Zane\Application Data\qexl6503QE.exe
c:\documents and settings\Zane\Application Data\qoil5156MY.exe
c:\documents and settings\Zane\Application Data\qolc6594QO.exe
c:\documents and settings\Zane\Application Data\quho6408QU.exe
c:\documents and settings\Zane\Application Data\qzpg6676QZ.exe
c:\documents and settings\Zane\Application Data\rerg6235PR.exe
c:\documents and settings\Zane\Application Data\rrji8681WU.exe
c:\documents and settings\Zane\Application Data\sssl7091SS.exe
c:\documents and settings\Zane\Application Data\swoz7363SW.exe
c:\documents and settings\Zane\Application Data\tegi7421TE.exe
c:\documents and settings\Zane\Application Data\thsf7502TH.exe
c:\documents and settings\Zane\Application Data\trhb4514KB.exe
c:\documents and settings\Zane\Application Data\unnm7162SA.exe
c:\documents and settings\Zane\Application Data\upup2213EH.exe
c:\documents and settings\Zane\Application Data\uyib7983UY.exe
c:\documents and settings\Zane\Application Data\vowr8132VO.exe
c:\documents and settings\Zane\Application Data\wffo2901FX.exe
c:\documents and settings\Zane\Application Data\wfic8757WF.exe
c:\documents and settings\Zane\Application Data\wftt8448WF.exe
c:\documents and settings\Zane\Application Data\wgb[5933OQ.exe
c:\documents and settings\Zane\Application Data\wpep8582WP.exe
c:\documents and settings\Zane\Application Data\xgfx8791XG.exe
c:\documents and settings\Zane\Application Data\xikj3312HB.exe
c:\documents and settings\Zane\Application Data\xmfn9124XM.exe
c:\documents and settings\Zane\Application Data\xvba1817CX.exe
c:\documents and settings\Zane\Application Data\yhny9187YH.exe
c:\documents and settings\Zane\Application Data\yory9202YO.exe
c:\documents and settings\Zane\Application Data\yypm7962UI.exe
c:\documents and settings\Zane\Application Data\zafe9589ZA.exe
c:\documents and settings\Zane\Application Data\zbur9779ZB.exe
c:\documents and settings\Zane\Application Data\zcrb9740ZC.exe
c:\documents and settings\Zane\Application Data\zdet9800ZD.exe
c:\documents and settings\Zane\Application Data\zoup3710IG.exe
c:\documents and settings\Zane\Application Data\zroe9503ZR.exe
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected 
Restored copy from - Kitty had a snack  
.
((((((((((((((((((((((((( Files Created from 2011-02-19 to 2011-03-19 )))))))))))))))))))))))))))))))
.
.
2011-03-19 00:45 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C3525BFE-C7CB-491C-8E1C-461C96A30AAD}\mpengine.dll
2011-03-11 22:42 . 2011-03-11 22:42 -------- d-----w- c:\documents and settings\Zane\Application Data\Smith Micro
2011-03-01 22:27 . 2011-03-01 22:27 -------- d-----w- c:\program files\Common Files\Skype
2011-03-01 22:27 . 2011-03-01 22:27 -------- d-----r- c:\program files\Skype
2011-02-28 01:46 . 2011-02-28 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Vistanita
2011-02-24 17:42 . 2011-02-24 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-02-24 00:38 . 2011-02-24 00:38 -------- d-----w- c:\documents and settings\Zane\Application Data\SUPERAntiSpyware.com
2011-02-24 00:38 . 2011-02-24 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-24 00:37 . 2011-03-19 13:35 -------- d-----w- c:\program files\SUPERAntiSpyware
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-25 05:03 . 2009-09-05 14:26 77824 ----a-w- c:\windows\system32\kdfapi.dll
2011-02-25 05:03 . 2009-09-05 14:26 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2011-02-25 05:03 . 2009-09-05 14:26 53248 ----a-w- c:\windows\system32\Kdfhok.dll
2011-02-25 05:03 . 2009-09-05 14:26 387288 ----a-w- c:\windows\system32\kdfmgr.exe
2011-02-11 06:54 . 2011-01-23 23:22 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-09 13:53 . 2008-04-25 16:16 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2008-04-25 21:26 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-25 21:26 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-25 16:16 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 04:31 . 2011-01-20 04:30 102400 ----a-w- c:\windows\RegBootClean.exe
2011-01-07 14:09 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14 . 2008-04-25 16:16 1864064 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:09 . 2011-01-17 17:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-01-17 17:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2010-12-19 4771184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-03 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-08 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 148888]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 22:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"GoToAssist"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/26/2009 10:07 AM 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 3:35 PM 181544]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [9/5/2009 9:51 AM 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [9/5/2009 9:50 AM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/22/2009 6:56 AM 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/14/2009 11:02 PM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [9/29/2010 9:27 PM 1201640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/12/2009 4:13 PM 113024]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/12/2009 4:13 PM 160256]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/22/2009 6:56 AM 335376]
S0 folmwj;folmwj;c:\windows\system32\drivers\modoq.sys --> c:\windows\system32\drivers\modoq.sys [?]
S0 nsxl;nsxl;c:\windows\system32\drivers\sqygsbya.sys --> c:\windows\system32\drivers\sqygsbya.sys [?]
S1 MpKsl209e4644;MpKsl209e4644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8D330E5-482B-466B-B351-E58AA52D12AE}\MpKsl209e4644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8D330E5-482B-466B-B351-E58AA52D12AE}\MpKsl209e4644.sys [?]
S1 MpKsl4f36573e;MpKsl4f36573e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F61E3F94-F3CB-4582-8E88-BF6A111CF9DD}\MpKsl4f36573e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F61E3F94-F3CB-4582-8E88-BF6A111CF9DD}\MpKsl4f36573e.sys [?]
S1 MpKslc6b43d2f;MpKslc6b43d2f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BFEF0EB1-A18B-41DB-A948-07CB1A9BAAC8}\MpKslc6b43d2f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BFEF0EB1-A18B-41DB-A948-07CB1A9BAAC8}\MpKslc6b43d2f.sys [?]
S1 MpKslc9f8fcc3;MpKslc9f8fcc3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF44A6FE-4353-41DF-BACC-951CC429A63A}\MpKslc9f8fcc3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF44A6FE-4353-41DF-BACC-951CC429A63A}\MpKslc9f8fcc3.sys [?]
S1 MpKsldaf48e6f;MpKsldaf48e6f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9869B4BB-313C-49FB-B421-D9148299BD94}\MpKsldaf48e6f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9869B4BB-313C-49FB-B421-D9148299BD94}\MpKsldaf48e6f.sys [?]
S1 MpKsldbd82012;MpKsldbd82012;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AEC7D59C-8237-45C1-9DF2-9223073389B4}\MpKsldbd82012.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AEC7D59C-8237-45C1-9DF2-9223073389B4}\MpKsldbd82012.sys [?]
S1 MpKslea66e7ca;MpKslea66e7ca;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2FA98D2C-E8E7-4481-8641-374E4742A1E9}\MpKslea66e7ca.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2FA98D2C-E8E7-4481-8641-374E4742A1E9}\MpKslea66e7ca.sys [?]
S1 MpKslfb22d8fa;MpKslfb22d8fa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619BF103-A5C3-47F5-A804-57E77C58ECA9}\MpKslfb22d8fa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619BF103-A5C3-47F5-A804-57E77C58ECA9}\MpKslfb22d8fa.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/26/2010 3:24 PM 135664]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [9/5/2009 9:50 AM 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [9/5/2009 9:50 AM 677128]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [8/12/2009 4:13 PM 1656960]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [6/15/2009 3:21 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [6/3/2009 10:01 AM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 19:24]
.
2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 19:24]
.
2011-03-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-02-02 c:\windows\Tasks\wrSpySweeper_LE45458249F634FEC8EC23E302474A1C8.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-09-30 20:19]
.
2011-02-02 c:\windows\Tasks\wrSpySweeper_LE45458249F634FEC8EC23E302474A1C8.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-09-30 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = https://edugen.wiley.com/edugen/secure/index.uni
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Zane\Application Data\Mozilla\Firefox\Profiles\jr63aqxx.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/|http://elearn.maryvillecollege.edu/...ttp://www.vhlcentral.com/|http://twitter.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Diccionario de Español/España: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-test - c:\documents and settings\Zane\Application Data\sys\test.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-YMPXRXjVhBlnS.exe - c:\documents and settings\All Users\Application Data\YMPXRXjVhBlnS.exe
HKCU-Run-fLNmvr3JE - c:\documents and settings\All Users\Application Data\fLNmvr3JE.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU_ActiveSetup-{BEED0B2B-3EBC-BFCF-C0FD-FBF9FCBFC6FE} - c:\documents and settings\Zane\Application Data\sys\test.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-19 15:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18E09523-0BB1-0E75-6B141AE958ABE9E7}\{8E8BA3D9-389B-9F43-3B5B6490B54F898E}\{0E0922CC-9ECE-C3AB-5B05A5FA1997F2CA}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1356)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-19 15:24:16
ComboFix-quarantined-files.txt 2011-03-19 19:23
.
Pre-Run: 86,332,125,184 bytes free
Post-Run: 88,321,003,520 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 79A204A2B5EEE2A892ED893EDB788FC4


----------



## zane_is_zebow (Mar 19, 2011)

well, the redirect is fixed, but the iexplore.exe duplicates keep copying in the processes. Any idea on how to fix that, since combofix didn't catch it?


----------



## dvk01 (Dec 14, 2002)

next you have multiple antiviruses inmstaled 
trend micro & MSE
decide which one you want & uninstall the other 

reboot then 

run combofix again & post its new log


----------



## zane_is_zebow (Mar 19, 2011)

Chose MSE. Others are uninstalled. Here's the new CF log.

ComboFix 11-03-19.01 - Zane 03/19/2011 21:02:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3546.2991 [GMT -4:00]
Running from: c:\documents and settings\Zane\Desktop\username123.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-20 00:59 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A43124A3-030B-4F22-BD09-7826FBF4BC88}\mpengine.dll
2011-03-19 21:17 . 2008-10-21 17:59 46456 ----a-r- c:\windows\system32\exitwx.exe
2011-03-11 22:42 . 2011-03-11 22:42 -------- d-----w- c:\documents and settings\Zane\Application Data\Smith Micro
2011-03-01 22:27 . 2011-03-01 22:27 -------- d-----w- c:\program files\Common Files\Skype
2011-03-01 22:27 . 2011-03-01 22:27 -------- d-----r- c:\program files\Skype
2011-02-28 01:46 . 2011-02-28 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Vistanita
2011-02-24 17:42 . 2011-02-24 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-02-24 00:38 . 2011-02-24 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-25 05:03 . 2009-09-05 14:26 77824 ----a-w- c:\windows\system32\kdfapi.dll
2011-02-25 05:03 . 2009-09-05 14:26 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2011-02-25 05:03 . 2009-09-05 14:26 53248 ----a-w- c:\windows\system32\Kdfhok.dll
2011-02-25 05:03 . 2009-09-05 14:26 387288 ----a-w- c:\windows\system32\kdfmgr.exe
2011-02-11 06:54 . 2011-01-23 23:22 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-09 13:53 . 2008-04-25 16:16 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2008-04-25 21:26 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-25 21:26 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-25 16:16 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 04:31 . 2011-01-20 04:30 102400 ----a-w- c:\windows\RegBootClean.exe
2011-01-07 14:09 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14 . 2008-04-25 16:16 1864064 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:09 . 2011-01-17 17:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-01-17 17:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( [email protected]_19.22.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 00:09 . 2011-03-20 00:47 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-19 00:09 . 2011-03-19 19:03 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-19 00:09 . 2011-03-20 00:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-08-19 00:09 . 2011-03-19 19:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-19 00:09 . 2011-03-20 00:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-08-19 00:09 . 2011-03-19 19:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2010-12-19 4771184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-03 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-08 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 148888]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 22:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"GoToAssist"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/26/2009 10:07 AM 29808]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 3:35 PM 181544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/14/2009 11:02 PM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [9/29/2010 9:27 PM 1201640]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/12/2009 4:13 PM 113024]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/12/2009 4:13 PM 160256]
S0 folmwj;folmwj;c:\windows\system32\drivers\modoq.sys --> c:\windows\system32\drivers\modoq.sys [?]
S0 nsxl;nsxl;c:\windows\system32\drivers\sqygsbya.sys --> c:\windows\system32\drivers\sqygsbya.sys [?]
S1 MpKsl209e4644;MpKsl209e4644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8D330E5-482B-466B-B351-E58AA52D12AE}\MpKsl209e4644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8D330E5-482B-466B-B351-E58AA52D12AE}\MpKsl209e4644.sys [?]
S1 MpKsl4f36573e;MpKsl4f36573e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F61E3F94-F3CB-4582-8E88-BF6A111CF9DD}\MpKsl4f36573e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F61E3F94-F3CB-4582-8E88-BF6A111CF9DD}\MpKsl4f36573e.sys [?]
S1 MpKslc6b43d2f;MpKslc6b43d2f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BFEF0EB1-A18B-41DB-A948-07CB1A9BAAC8}\MpKslc6b43d2f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BFEF0EB1-A18B-41DB-A948-07CB1A9BAAC8}\MpKslc6b43d2f.sys [?]
S1 MpKslc9f8fcc3;MpKslc9f8fcc3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF44A6FE-4353-41DF-BACC-951CC429A63A}\MpKslc9f8fcc3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF44A6FE-4353-41DF-BACC-951CC429A63A}\MpKslc9f8fcc3.sys [?]
S1 MpKsldaf48e6f;MpKsldaf48e6f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9869B4BB-313C-49FB-B421-D9148299BD94}\MpKsldaf48e6f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9869B4BB-313C-49FB-B421-D9148299BD94}\MpKsldaf48e6f.sys [?]
S1 MpKsldbd82012;MpKsldbd82012;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AEC7D59C-8237-45C1-9DF2-9223073389B4}\MpKsldbd82012.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AEC7D59C-8237-45C1-9DF2-9223073389B4}\MpKsldbd82012.sys [?]
S1 MpKslea66e7ca;MpKslea66e7ca;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2FA98D2C-E8E7-4481-8641-374E4742A1E9}\MpKslea66e7ca.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2FA98D2C-E8E7-4481-8641-374E4742A1E9}\MpKslea66e7ca.sys [?]
S1 MpKslfb22d8fa;MpKslfb22d8fa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619BF103-A5C3-47F5-A804-57E77C58ECA9}\MpKslfb22d8fa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619BF103-A5C3-47F5-A804-57E77C58ECA9}\MpKslfb22d8fa.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/26/2010 3:24 PM 135664]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe --> c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [?]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [8/12/2009 4:13 PM 1656960]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [6/15/2009 3:21 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [6/3/2009 10:01 AM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 19:24]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 19:24]
.
2011-03-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = https://edugen.wiley.com/edugen/secure/index.uni
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Zane\Application Data\Mozilla\Firefox\Profiles\jr63aqxx.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/|http://elearn.maryvillecollege.edu/...ttp://www.vhlcentral.com/|http://twitter.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Diccionario de Español/España: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-19 21:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18E09523-0BB1-0E75-6B141AE958ABE9E7}\{8E8BA3D9-389B-9F43-3B5B6490B54F898E}\{0E0922CC-9ECE-C3AB-5B05A5FA1997F2CA}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1196)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-19 21:09:11
ComboFix-quarantined-files.txt 2011-03-20 01:08
ComboFix2.txt 2011-03-19 19:24
.
Pre-Run: 89,287,929,856 bytes free
Post-Run: 89,271,902,208 bytes free
.
- - End Of File - - F2CA9A226AC9C3D1DA7221BF00570688


----------



## dvk01 (Dec 14, 2002)

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## zane_is_zebow (Mar 19, 2011)

Had to attach it in a zip this time, because Techguy was telling me it's too long to post. Also, the popup window that said upload DID come up, so it was uploaded successfully, i assume.


----------



## dvk01 (Dec 14, 2002)

I can't see anything obviously wrong now

have all your problems stopped or are you still having any problems


----------



## zane_is_zebow (Mar 19, 2011)

They've all stopped as far as I can tell.

This was incredible, thank you so much. Anything else I need to do?


----------



## dvk01 (Dec 14, 2002)

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------

