# Malformed webpages in IE/FF, windowsclick.com forwards, etc.



## Dr. Mojo PhD (Jan 21, 2009)

I've got a big time pain on my hands. It seems that other people are having similar problems (simply Google "windowsclick.com", and this site is the first returned, and a cursory examination of other posts indicates that some are certainly having this problem, while this _might_ be what others are experiencing), and have yet to receive anything on it. Google (and then Yahoo) gives little in the way of information other than that this seems to be a relatively new problem emerging in the last couple of days. (From about Jan 19 2009 onward). My own problems emerged on January 20th 2009, around mid-afternoon.

Recently, Firefox became unusable. Webpages were being displayed as deformed, with elements and formatting missing. Google became essentially unusable. Left clicks, then middle clicks, and right click - open in new... began forwarding to windowsclick.com the majority of the time, and occasionally findreggi.com or looksharp.com (I'm not sure about the last one but it was relatively similar to that, anyway.) A quick check of IE showed it displaying the same behaviour.

Here is an example of the URL it's attempting to forward me to:

http://windowsclick.com/go.php?u=a2...hPN_F-lNIwZ-ds7gJ1i2j5P4q9fT-FKaJ9GKII4bDPnU-
Mv-cpITk0zRdHE03APw8MAd_D92xxD0HA6fx08j8MslfpM4ztWtd53aPFarDAK_k1vssSqP88E2SHP0d-ivcmBpxEuxPIplrgvIVBUQl2mmmZds-B
Y-NX4cawzN7lqRyqfUMxDzbfW2mSCT-GWGo8hOkrd3Cv1tkr8YzuTRTXey0sKqoNqO7CKdj8ZmDjr25NEOhvvIyDHg_xX9d_gHz8oLsudBTtkDqJF
2-bePBauHPVfaVPoAzd41KbqZz_u7WAUR67ztuxICeiKm1tH0OWyw0h3-SgFjji4mXZ1tOxHSxUOpNw6Pe_-dtCA36U99180m3LpLEQw7CDKdJR-G
wqygzQsfIXVyS9bmMxK50zNpWdDztrNjBGJipWmWVs-eycByliVLksai_4WkCH3BYdn9M1u8uavRmf-MOvEJB3TmsS3UjDfXQ8lez3ztZDCSpT-K7
sLn_Yj379OAoHfjr_9rRzJp_iq86R3HE4S_9-oT678qJ510CaMKbLXmQBvjL61Kd50OnYUwMPqah5CNpM5s4a4soCSxpvnw-tFHyrjCr7wVd6iWL_
0zgdUUEox9VZdviKs_6ZRziMiIbCyCzEFeU-NXMj0Wutd_4ddLr_DbBytdZhNAlftiZWNHLIRQ1w_w0YTQjTmU85liZ503mEKhDqrqqW4zglm8Ez9
tEUi1qKE5nJDoSpU9CNv3HM23QQdqkFVSFdr1IHYsRY7tVNVWWPk6k5p_32zHHRcMUfKlSMP14xVPU70Q2K3oSGk22dqKb1ts9e9ski9wGo9PINKf
2pPkGjV3PSpn3lQNoMgYjFhabsqrTb5qE4XcS-LlNzant_GvOlnU5mzeVWFoHH87sZ7GqXJ8V5NPSdejg-mfigkzdtSIu3TvfjY8lpGVelplzvRFW
16lHrXn8sbOVq47GOFZpL3-0F18LmyJKScPFKrmwb327Rp4JukEaH9uOSF39WU5eMNdUPXztAlsaz1-KpfJZ1XUNxhm4ovM5v73O7dhxi8tuSzrPh
jf17PpJgjt_eivKz154PhW3uYPyfbk9elozwGX4KJOjIfmK-RVBiR1rzNaJm3KNqTwmj7hjdZoNxeXz1-ZIqVMMoIfpPbA0kVXLmv9dZNcbML6-7w
qTHFR4hMPb5_9e-2ZszsjBCeARTYQEPSAiBJKgZkUNpSAHFTPMDiwgl0_CwnniBSYoQI9D4UUmhYpKgHSJcKATH8zjrDitdVq5EYRUduMpalo6wRU
EDgGBAElTZ0_gHqifgaO87vPt5zzN9_iT3pWMzDPACvgMAg6KKFlpeUEiVqCVn69f_hFwYGzGbWVmO8MgBzGGATLiXMFxIU6I8DRQg0qumMl1oNe%
3Ds%3Fphp.c%2F711.691.111.46&bid=0.026010&aid=62&said=test5v5&mppc=peak

(Line breaks are there to preserve readability, it's a helluva horizontal scroll even on a 16:10).

That's what came up when I clicked the Cooks.com hit on a Google search for "baby back ribs"... reminds me of the ancient 256 character URL exploit, if anybody remembers that.

Opera is also starting to border on unusable. Any sort of exe download tends to crash the browser. It seems to be progressive degradation, and now I cannot even download usable alternates like Safari or Chrome, simply to check on updates or more information, as the exes constantly crash, or the download refuses to initiate at all. HJT would barely run, and other malware detectors gave me significant difficulty as well. Certain programs aren't effected, and other than popular browsers, search engines, and malware programs nothing _seems_ affected.

The only thing I've permitted to be installed recently was a Flash addon from CNN to for the live stream of the on the 20th Presidential Inauguration.

HJT log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:10 PM, on 1/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\J. Matthew Lemieux\Desktop\TJH.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YASU] C:\Program Files\DAEMON Tools\YASU.exe -s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222373181218
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 10678 bytes


----------



## Dr. Mojo PhD (Jan 21, 2009)

It should be worth noting as well that a complete system scan reveals nothing.

AVG reports nothing. Microsoft's Malware Removal tool reports nothing. Windows defender reports nothing. In case this is somehow related to Conficker in _any_ way I tried that too -- nothing.

Perhaps most importantly most malware tools I installed had to be run manually. HJT in particular would not run properly and had to be screwed with in all manner of ways to get it to function even remotely properly on the system -- download problems, refusals to execute, etc. Counts for most security programs I'd attempted to run.

Second update, Malwarebytes detected something. Worth noting that like HJT (you can see it renamed above in the log as TJH), Anti-malware had to be renamed, else it wouldn't execute. Here's the log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/22/2009 2:19:36 AM
mbam-log-2009-01-22 (02-19-29).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 290240
Time elapsed: 1 hour(s), 20 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\videosoft (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\J. Matthew Lemieux\Local Settings\Temp\UAC94ab.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\[email protected]@@k.dll (Trojan.Agent) -> No action taken.


----------



## Dr. Mojo PhD (Jan 21, 2009)

Ran ComboFix (which had to be renamed FixCombo to work, surprise surprise)...

Here's the log...

ComboFix 09-01-21.04 - J. Matthew Lemieux 2009-01-22 15:22:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1551 [GMT -5:00]
Running from: c:\documents and settings\J. Matthew Lemieux\Desktop\FixCombo.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\J. Matthew Lemieux\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_bg_popup.gif
c:\documents and settings\J. Matthew Lemieux\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_window_sliver.gif
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2100-02-23 17:35 . 2001-02-22 12:54	768	--a------	c:\program files\x73_lut.dat
2100-02-08 18:03 . 2001-05-11 13:39	53,248	--a------	c:\program files\ACMonitor_X73.exe
2009-01-22 15:04 . 2009-01-22 15:04 d--------	c:\documents and settings\J. Matthew Lemieux\Application Data\DAEMON Tools Pro
2009-01-22 15:01 . 2009-01-22 15:10 d--------	C:\ComboFix
2009-01-22 04:12 . 2009-01-22 04:12 d--------	c:\program files\DAEMON Tools Toolbar
2009-01-22 04:12 . 2009-01-22 04:12 d--------	c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-22 04:11 . 2009-01-22 15:04 d--------	c:\documents and settings\J. Matthew Lemieux\Application Data\DAEMON Tools Lite
2009-01-22 02:56 . 2009-01-22 02:56 d--------	c:\program files\Sophos
2009-01-22 02:32 . 2009-01-22 02:32 d--------	C:\!KillBox
2009-01-21 23:28 . 2009-01-21 23:28 d--------	c:\documents and settings\J. Matthew Lemieux\Application Data\Malwarebytes
2009-01-21 23:25 . 2009-01-22 15:09 d--------	c:\program files\Malwarebytes' Anti-Malware
2009-01-21 23:25 . 2009-01-21 23:25 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 23:25 . 2009-01-14 16:11	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 23:25 . 2009-01-14 16:11	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-01-20 23:28 . 2009-01-20 23:28 d--------	c:\program files\Opera
2009-01-14 15:56 . 2009-01-14 15:56 d--------	c:\program files\Bonjour
2009-01-14 15:55 . 2009-01-14 15:55 d--------	c:\program files\iPod
2009-01-14 15:55 . 2009-01-14 15:55 d--------	c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-14 15:53 . 2009-01-14 15:53 d--------	c:\program files\QuickTime
2009-01-14 01:44 . 2009-01-19 05:34 d--------	c:\documents and settings\J. Matthew Lemieux\Application Data\SPORE
2009-01-12 19:30 . 2009-01-12 19:30 d--------	c:\documents and settings\J. Matthew Lemieux\eee
2009-01-10 23:35 . 2009-01-10 23:35 d--------	c:\windows\Zoom
2009-01-10 23:35 . 2009-01-10 23:35 d--------	c:\program files\Zoom
2009-01-10 23:35 . 2003-06-11 10:43	143,360	---------	c:\windows\system32\RODll.dll
2009-01-10 23:35 . 2003-06-11 10:43	143,360	---------	c:\windows\system32\drivers\RODll.dll
2009-01-10 23:35 . 2003-07-18 13:29	52,864	---------	c:\windows\system32\drivers\CnxTrUsb.sys
2009-01-10 23:35 . 2003-07-18 13:29	25,984	---------	c:\windows\system32\drivers\CnxTrLan.sys
2009-01-10 23:35 . 2001-07-21 17:30	22,048	---------	c:\windows\system32\drivers\cocpyinf.dll
2009-01-10 23:35 . 2001-07-21 17:30	22,048	---------	c:\windows\system32\cocpyinf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 20:04	---------	d-----w	c:\documents and settings\J. Matthew Lemieux\Application Data\DAEMON Tools
2009-01-22 20:03	---------	d-----w	c:\program files\DAEMON Tools Lite
2009-01-22 20:00	---------	d-----w	c:\documents and settings\J. Matthew Lemieux\Application Data\Azureus
2009-01-22 08:49	---------	d-----w	c:\program files\Ahead
2009-01-22 08:48	---------	d-----w	c:\program files\Common Files\Ahead
2009-01-22 08:46	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-22 08:40	---------	d-----w	c:\program files\FSAutoStart
2009-01-22 08:39	---------	d-----w	c:\program files\Electronic Arts
2009-01-22 08:37	---------	d-----w	c:\program files\Bohemia Interactive
2009-01-22 08:27	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-01-22 08:14	---------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-01-22 08:14	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Corporation
2009-01-22 08:02	---------	d-----w	c:\documents and settings\All Users\Application Data\Skype
2009-01-22 07:49	---------	d-----w	c:\program files\Steam
2009-01-21 17:00	---------	d-----w	c:\documents and settings\All Users\Application Data\avg8
2009-01-14 21:15	118,784	----a-w	c:\windows\GREUninstall.exe
2009-01-14 20:55	---------	d-----w	c:\program files\iTunes
2009-01-14 20:55	---------	d-----w	c:\program files\Common Files\Apple
2009-01-12 19:06	---------	d-----w	c:\program files\mIRC
2009-01-11 07:19	---------	d-----w	c:\program files\DivX
2008-12-14 19:27	---------	d-----w	c:\documents and settings\J. Matthew Lemieux\Application Data\dvdcss
2008-12-11 10:57	333,952	----a-w	c:\windows\system32\drivers\srv.sys
2008-12-05 01:05	---------	d-----w	c:\documents and settings\J. Matthew Lemieux\Application Data\Apple Computer
2008-11-29 21:01	---------	d-----w c:\program files\Apple Software Update
2008-11-22 05:08	---------	d-----w	c:\program files\Azureus
2008-03-16 20:31	22,328	----a-w	c:\documents and settings\J. Matthew Lemieux\Application Data\PnkBstrK.sys
2006-12-29 01:00	1	----a-w	c:\documents and settings\J. Matthew Lemieux\SI.bin
2006-12-06 21:59	46,592	----a-w	c:\documents and settings\J. Matthew Lemieux\DrvMgt.dll
2006-12-06 21:59	163,644	----a-w	c:\documents and settings\J. Matthew Lemieux\SECDRV.SYS
2006-12-06 12:50	669	----a-w	c:\documents and settings\J. Matthew Lemieux\layout.bin
2006-12-06 12:50	552,214	----a-w	c:\documents and settings\J. Matthew Lemieux\ISSetup.dll
2006-05-24 20:10	455,600	----a-w	c:\documents and settings\J. Matthew Lemieux\setup.exe
2006-05-17 19:21	152,496	----a-w	c:\documents and settings\J. Matthew Lemieux\_setup.dll
2001-07-27 00:58	47	----a-w	c:\program files\ACMonitor_X73.ini
2001-07-05 20:46	8,116	----a-w	c:\program files\OSLO3071b2.USB
2001-05-08 23:36	114,688	----a-w	c:\program files\lxarscan.dll
2001-04-23 22:22	1,437	----a-w	c:\program files\gtx73.ini
2005-07-14 19:31	27,648	--sha-w	c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-12-10 929224]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-12-10 929224]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 3627008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 c:\windows\system32\Ctxfihlp.exe]
"CTHelper"="CTHELPER.EXE" [2006-12-12 c:\windows\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\J. Matthew Lemieux\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-09-14 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\progra~1\REPLAY~1\ir50_32.dll
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bohemia Interactive\\ArmA\\arma.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bohemia Interactive\\ArmA\\arma.locked"=
"c:\\Program Files\\Steam\\steamapps\\drmojophd\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\drmojophd\\source sdk base\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\femme_nikita\\counter-strike\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2007-06-01 215856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-09-25 97928]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-01-11 33792]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-25 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-25 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-09-25 76040]
R4 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2006-09-21 2368]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1035.tmp --> c:\windows\system32\1035.tmp [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48a71a35-ff26-11db-a92b-0017311c40e9}]
\Shell\AutoRun\command - g:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - g:\directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15323c0-1506-11db-a831-0017311c40e9}]
\Shell\AutoRun\command - F:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 21:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-YASU - c:\program files\DAEMON Tools\YASU.exe
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-Run-Kernel and Hardware Abstraction Layer - KHALMNPR.EXE

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 15:28:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1035.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1677128483-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:84,1f,e4,4b,f5,e7,ce,5b,27,c6,3f,93,7a,30,90,53,01,0d,6d,94,e3,34,08,
37,f7,46,85,3a,60,89,f2,f5,5c,05,53,af,c5,c7,96,a3,3f,15,af,7f,36,c5,68,52,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{17DE1F14-B3E4-1035-F057BA15C83B1D27}\{8EADAA70-8C9A-100D-77D42F75FD081297}\{52159879-7142-2CA4-73B8A923B4C8F27A}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,f9,2e,d3,
de,fd,65,5c,d8,e2,2c,2e,f1,19,49,ef,78,0c,d5,1f,b2,8c,27,8b,d6,05,90,a0,7b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29D83109-D499-A3EF-54ABD4209B2D5F0C}\{354D4B2F-7299-D6B0-F9DE68C9556AEC8D}\{1096A586-413B-60D3-8347C002DC18071C}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3749AA95-0B95-97D6-573EA782D1087389}\{140D5DD1-4454-9D01-1A62C863EE2D72CA}\{AFBD57C5-0E25-C0E9-BB318052A3DC6730}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{61E02159-A14A-FC32-018FB6A6B5E128FA}\{BE08726F-5794-26E4-FF65539D238093C7}\{FD6EFD08-28CD-2519-DC89D4AD1DA3D3A5}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D9EEA93-DD59-68FD-2527E621161D0237}\{C35E9742-B8BD-06C7-FA5575747B82F58D}\{7D561727-4D3E-D313-4CFAAB3C00BB0207}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9046776-195D-89EA-3E66F9BC5DAE5B9B}\{E7989E73-D3F8-C437-CB8470F59A56421D}\{FFD68A1F-1364-19C2-ECF1A15A7898EBE6}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\libusbd-nt.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
c:\program files\Nvidia Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-01-22 15:33:25 - machine was rebooted [J. Matthew Lemieux]
ComboFix-quarantined-files.txt 2009-01-22 20:33:22

Pre-Run: 180,615,454,720 bytes free
Post-Run: 180,832,026,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

Current=7 Default=7 Failed=6 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
286	--- E O F ---	2009-01-19 19:42:38

After letting ComboFix sanitize my computer things _appear_ to have improved. I can now freely rename the exes for ComboFix, mbam, etc and have them actually execute normally.

I also did some presanitation work last night, killed off about 160 gigs of wasted files and went around getting rid of orphaned registry keys as well as I could, etc. A lot of system scans wouldn't work yesterday, incidentally, even for innocuous things (such as disk defrag).

Before I mark this one solved I'll see if everything continues to work.


----------



## dvk01 (Dec 14, 2002)

looks like combofix got it


----------



## Dr. Mojo PhD (Jan 21, 2009)

It appears that way. After a few hours of trying everything I could to break the hell out of the system again, the ONLY thing that happened was AVG picked up something in the system restore archives.

Otherwise, Firefox and IE are back to behaving normally. ComboFix, Malwarebytes, and the rest of the others can run with their normal executable names again.

ComboFix detected it as a RootKit. Other rootkit detections could not detect it.

For posterity's sake, the order I ran things in was HJT - Malwarebytes Anti-Malware - HJT - ComboFix. mbam and combofix both picked up different parts of the infection. After ComboFix, everything was back to normal.

If there is any infection present, there are no frank symptoms. I'm confident enough to mark this solved.


----------



## dvk01 (Dec 14, 2002)

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









then 
Turn off system restore by following instructions here 
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## Dr. Mojo PhD (Jan 21, 2009)

Like a charm. Thanks, dvk01


----------

