# ClickFew/FindUpset redirecting my search results/searching in the background.



## Kaljinyu (Jun 20, 2005)

No matter what browser I use, no matter what search engine I use, my search results are redirected to various third party sites like 66tv.com, Washingtonbrewfest.com, SportsCarsForSale.com, and et cetera. Sometimes I get legit sites like Sportingnews.com. I notice a slight delay in my Google Instant search results, and then when I get my results, anything I click leads to a redirection.

What's more, my History has shown that background searches have been going on whenever my browsing is idle. If I'm not busy browsing, the browser will start background searches. I haven't noticed any running processes that might be triggering this, I've even run GetSusp to check all running processes and nothing's out of place. The engines used so far have been: 

ClickFew.org
ClickPrinter.org
Findupset.org
FlurrySearch.com
FoundVids.com
FreeSearchTime.com
LocateFind.net
LocateFindSearch.com
LocateFindWeb.com
LocateFindWeb.net
LocateWebSearch.com
LocateWebSearch.net
LookPro.net
LookWorks.net
ResultWiz.com
SearchDetect.net
SearchDiscoverFind.com
SearchFindDiscover.com
SearchFindLocate.net
SearchListingPro.com
SearchListPros.com
SearchLocateWeb.com
SearchPuma.com
SearchResults
FindSearches.com
TheFastFinders.com 
TheSearchBoss.com
TopCloudSite.com
TubeLeaker.com
UpliftSearch.com
Vidstreet.com
WizardLinkers.com


----------



## kevinf80 (Mar 21, 2006)

We need to see some additional information about what is happening in your machine.* 
Please perform the following scan:

Download *DDS* by sUBs from one of the following links.* Save it to your desktop.
*DDS.com*
*DDS.scr*
*DDS.pif*

Double click on the *DDS* icon, allow it to run.
A small box will open, with an explanation about the tool.* *
When done, DDS will open two (2) logs
* * * * *1. DDS.txt
* * * * *2. Attach.txt
 Save both reports to your desktop.
 The instructions here ask you to attach the Attach.txt.








*
*Instead of attaching, please copy/past both logs into your next reply.*
Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection. 
Run the scan, enable your A/V and reconnect to the internet.* 
Information on A/V control *HERE*

Kevin


----------



## Kaljinyu (Jun 20, 2005)

I was supposed to disconnect from the Internet before scanning?


----------



## Kaljinyu (Jun 20, 2005)

The scan ran, even though I'm connected to the Internet. Here's the results if they're any good. Here's *Attach.txt*

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/29/2010 12:40:29 PM
System Uptime: 2/9/2011 2:23:17 PM (2 hours ago)

Motherboard: Hewlett-Packard | | 3047h
Processor: AMD Sempron(tm) 145 Processor | XU1 PROCESSOR | 2793/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 123.706 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP36: 11/11/2010 9:08:09 PM - System Checkpoint
RP37: 11/12/2010 10:16:37 PM - System Checkpoint
RP38: 11/13/2010 11:06:58 PM - System Checkpoint
RP39: 11/15/2010 12:06:58 AM - System Checkpoint
RP40: 11/16/2010 1:06:58 AM - System Checkpoint
RP41: 11/17/2010 2:06:58 AM - System Checkpoint
RP42: 11/18/2010 3:06:58 AM - System Checkpoint
RP43: 11/19/2010 4:06:58 AM - System Checkpoint
RP44: 11/20/2010 5:06:58 AM - System Checkpoint
RP45: 11/21/2010 6:06:58 AM - System Checkpoint
RP46: 11/22/2010 7:06:58 AM - System Checkpoint
RP47: 11/23/2010 8:06:58 AM - System Checkpoint
RP48: 11/24/2010 9:06:58 AM - System Checkpoint
RP49: 11/25/2010 10:06:58 AM - System Checkpoint
RP50: 11/26/2010 11:06:58 AM - System Checkpoint
RP51: 11/27/2010 12:06:58 PM - System Checkpoint
RP52: 11/28/2010 12:11:42 PM - System Checkpoint
RP53: 11/29/2010 1:06:58 PM - System Checkpoint
RP54: 11/30/2010 2:06:58 PM - System Checkpoint
RP55: 12/1/2010 3:06:58 PM - System Checkpoint
RP56: 12/2/2010 4:06:58 PM - System Checkpoint
RP57: 12/3/2010 5:06:58 PM - System Checkpoint
RP58: 12/4/2010 5:47:41 PM - System Checkpoint
RP59: 12/5/2010 6:21:54 PM - System Checkpoint
RP60: 12/6/2010 7:21:54 PM - System Checkpoint
RP61: 12/7/2010 8:21:54 PM - System Checkpoint
RP62: 12/8/2010 9:21:54 PM - System Checkpoint
RP63: 12/9/2010 10:03:08 PM - System Checkpoint
RP64: 12/10/2010 10:21:54 PM - System Checkpoint
RP65: 12/11/2010 11:38:36 PM - System Checkpoint
RP66: 12/13/2010 12:21:54 AM - System Checkpoint
RP67: 12/14/2010 12:22:59 AM - System Checkpoint
RP68: 12/15/2010 12:39:21 AM - System Checkpoint
RP69: 12/16/2010 12:40:26 AM - System Checkpoint
RP70: 12/17/2010 1:39:21 AM - System Checkpoint
RP71: 12/18/2010 2:39:21 AM - System Checkpoint
RP72: 12/19/2010 3:39:21 AM - System Checkpoint
RP73: 12/20/2010 4:39:21 AM - System Checkpoint
RP74: 12/21/2010 5:39:21 AM - System Checkpoint
RP75: 12/22/2010 6:39:21 AM - System Checkpoint
RP76: 12/23/2010 7:39:21 AM - System Checkpoint
RP77: 12/24/2010 8:39:21 AM - System Checkpoint
RP78: 12/25/2010 9:39:21 AM - System Checkpoint
RP79: 12/26/2010 6:54:31 PM - System Checkpoint
RP80: 12/27/2010 7:17:08 PM - System Checkpoint
RP81: 12/29/2010 2:01:27 AM - System Checkpoint
RP82: 12/30/2010 2:05:07 AM - System Checkpoint
RP83: 12/31/2010 3:05:07 AM - System Checkpoint
RP84: 1/1/2011 4:49:18 AM - System Checkpoint
RP85: 1/2/2011 5:05:08 AM - System Checkpoint
RP86: 1/3/2011 6:05:02 AM - System Checkpoint
RP87: 1/4/2011 7:05:02 AM - System Checkpoint
RP88: 1/5/2011 8:05:03 AM - System Checkpoint
RP89: 1/6/2011 9:05:03 AM - System Checkpoint
RP90: 1/8/2011 1:46:22 AM - System Checkpoint
RP91: 1/9/2011 3:32:06 AM - System Checkpoint
RP92: 1/10/2011 4:04:59 AM - System Checkpoint
RP93: 1/11/2011 5:04:59 AM - System Checkpoint
RP94: 1/12/2011 5:16:37 AM - System Checkpoint
RP95: 1/13/2011 5:55:02 AM - System Checkpoint
RP96: 1/14/2011 6:04:59 AM - System Checkpoint
RP97: 1/15/2011 6:40:17 AM - System Checkpoint
RP98: 1/16/2011 7:05:01 AM - System Checkpoint
RP99: 1/17/2011 8:11:00 AM - System Checkpoint
RP100: 1/18/2011 9:04:56 AM - System Checkpoint
RP101: 1/19/2011 9:36:54 PM - System Checkpoint
RP102: 1/20/2011 9:59:07 PM - System Checkpoint
RP103: 1/22/2011 2:39:15 AM - System Checkpoint
RP104: 1/23/2011 6:35:57 AM - System Checkpoint
RP105: 1/24/2011 7:07:29 AM - System Checkpoint
RP106: 1/25/2011 7:07:30 AM - System Checkpoint
RP107: 1/26/2011 11:58:58 AM - System Checkpoint
RP108: 1/27/2011 12:07:30 PM - System Checkpoint
RP109: 1/28/2011 12:24:46 PM - System Checkpoint
RP110: 1/29/2011 8:17:52 PM - System Checkpoint
RP111: 1/31/2011 12:09:36 AM - System Checkpoint
RP112: 2/1/2011 1:07:21 AM - System Checkpoint
RP113: 2/2/2011 1:15:27 AM - System Checkpoint
RP114: 2/3/2011 2:08:26 AM - System Checkpoint
RP115: 2/4/2011 3:07:21 AM - System Checkpoint
RP116: 2/5/2011 3:17:37 AM - System Checkpoint
RP117: 2/6/2011 4:07:21 AM - System Checkpoint
RP118: 2/7/2011 5:07:12 AM - System Checkpoint
RP119: 2/7/2011 2:52:46 PM - Installed NovaNET Multimedia Courseware.
RP120: 2/8/2011 5:13:53 PM - Restore Operation
RP121: 2/9/2011 5:43:53 AM - Restore Operation
RP122: 2/9/2011 5:48:50 AM - Restore Operation
RP123: 2/9/2011 1:51:16 PM - Restore Operation

==== Hosts File Hijack ======================

Hosts: 72.52.4.76 www.limewire.com
Hosts: 72.52.4.76 www.frostwire.com
Hosts: 72.52.4.76 www.bit-torrent.com
Hosts: 72.52.4.76 www.bearshare.com
Hosts: 72.52.4.76 www.zeropaid.com
Hosts: 72.52.4.76 www.felmlee.com
Hosts: 72.52.4.76 www.gnutelliums.com
Hosts: 72.52.4.76 phex.sourceforge.net
Hosts: 72.52.4.76 www.revolutionarystuff.com
Hosts: 72.52.4.76 www.xolox.nl
Hosts: 72.52.4.76 www.grokster.com
Hosts: 72.52.4.76 www.morpheus.com
Hosts: 72.52.4.76 www.music-e.net
Hosts: 72.52.4.76 www.chadsmp3s.com
Hosts: 72.52.4.76 www.napster.com
Hosts: 72.52.4.76 www.napstermp3.com
Hosts: 72.52.4.76 www.shareaza.com
Hosts: 72.52.4.76 www.neo-modus.com
Hosts: 72.52.4.76 www.filetopia.org
Hosts: 72.52.4.76 www.imesh.com
Hosts: 72.52.4.76 www.gnutellaforums.com
Hosts: 72.52.4.76 www.kazaa.com
Hosts: 72.52.4.76 www.torrent-finder.com
Hosts: 72.52.4.76 www.sharetv.org
Hosts: 72.52.4.76 www.btjunkie.org
Hosts: 72.52.4.76 www.filemp3.org
Hosts: 72.52.4.76 www.torrentbytes.net
Hosts: 72.52.4.76 www.thepiratebay.org
Hosts: 72.52.4.76 www.torrentz.com
Hosts: 72.52.4.76 www.torrents.to
Hosts: 72.52.4.76 www.torrentmatrix.com
Hosts: 72.52.4.76 www.isohunt.com
Hosts: 72.52.4.76 www.torrent-damage.net
Hosts: 72.52.4.76 www.meganova.org
Hosts: 72.52.4.76 www.fulldls.com
Hosts: 72.52.4.76 www.scrapetorrent.com
Hosts: 72.52.4.76 www.thinktorrent.com
Hosts: 72.52.4.76 www.filelist.org
Hosts: 72.52.4.76 www.torrentlocomotive.com
Hosts: 72.52.4.76 www.porn.com
Hosts: 72.52.4.76 www.whitehouse.com
Hosts: 72.52.4.76 www.xxx.com
Hosts: 72.52.4.76 www.Slyuser.com
Hosts: 72.52.4.76 www.foxyproxy.com
Hosts: 72.52.4.76 www.ugoplayer.com
Hosts: 72.52.4.76 www.rapidojeux.com
Hosts: 72.52.4.76 www.zango.com
Hosts: 72.52.4.76 www.erotic.com
Hosts: 72.52.4.76 www.penthouse.com
Hosts: 72.52.4.76 www.playboy.com
Hosts: 72.52.4.76 www.hustler.com 
==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AMD Processor Driver
Apple Application Support
ATI Display Driver
BitTorrent
CamStudio
Canon Easy-PhotoPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 4.0
Canon MP280 series MP Drivers
Canon MP280 series User Registration
Canon My Printer
Canon Solution Menu EX
Compatibility Pack for the 2007 Office system
Java(TM) 6 Update 16
LSI PCI-SV92EX Soft Modem
McAfee Virus and Spyware Protection Service
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Owl and Mouse U.S. Map Puzzle
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB982381)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows XP (KB898461)
Visual C++ 8.0 x86 Runtime Setup Package
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
YouTube Downloader 2.6.2

==== Event Viewer Messages From Past Week ========

2/9/2011 5:05:51 AM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
2/9/2011 4:34:29 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\PC Tools Security\SDContextExt32.dll. Reference error message: The operation completed successfully. .
2/9/2011 4:34:26 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
2/9/2011 4:34:26 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\PC Tools Security\libkumo.dll. Reference error message: The operation completed successfully. .
2/9/2011 4:34:26 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
2/9/2011 4:23:45 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
2/9/2011 4:23:45 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Canon\Solution Menu EX\MFC80U.DLL. Reference error message: The operation completed successfully. .
2/9/2011 4:23:45 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

==== End Of File ===========================


----------



## Kaljinyu (Jun 20, 2005)

Here's *DDS.txt*

DDS (Ver_10-12-12.02) - NTFSx86 
Run by Parent at 16:03:58.67 on Wed 02/09/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1262 [GMT -5:00]

AV: Total Protection Service *Enabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Parent\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.k12.com
uInternet Settings,ProxyServer = http=127.0.0.1:18810
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100930100612.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\desktopui\XTray.Exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe" /LOGON
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 72.52.4.76 www.limewire.com
Hosts: 72.52.4.76 www.frostwire.com
Hosts: 72.52.4.76 www.bit-torrent.com
Hosts: 72.52.4.76 www.bearshare.com
Hosts: 72.52.4.76 www.zeropaid.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-6-18 184888]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-29 214664]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2010-9-29 14144]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2010-9-29 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2010-9-29 282824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 44800]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2010-9-29 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2010-9-29 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-9-29 34248]

=============== Created Last 30 ================

2011-02-09 18:49:55	--------	d-----w-	c:\docume~1\parent\locals~1\applic~1\Help
2011-02-09 01:31:45	1409	----a-w-	c:\windows\QTFont.for
2011-02-08 22:17:05	--------	d-----w-	c:\windows\system32\wbem\repository\FS
2011-02-08 22:17:05	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-02-07 19:52:47	--------	d-----w-	c:\program files\WPORTAL
2011-02-07 19:48:02	--------	d-----w-	c:\docume~1\parent\applic~1\DAEMON Tools Lite
2011-02-07 19:48:02	--------	d-----w-	c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2011-02-05 06:23:47	--------	d-----w-	c:\docume~1\parent\applic~1\WTablet
2011-02-05 06:23:19	--------	d-----w-	c:\program files\Tablet
2011-01-15 08:13:35	--------	d-----w-	c:\docume~1\parent\applic~1\BitTorrent
2011-01-14 20:24:38	--------	d-sh--w-	c:\documents and settings\parent\IECompatCache

==================== Find3M ====================

============= FINISH: 16:09:48.68 ===============


----------



## Kaljinyu (Jun 20, 2005)

It looks like a problem with the Hosts file, could I just replace/repair it with Hoster/HostsXpert??


----------



## kevinf80 (Mar 21, 2006)

Hiya Kaljinyu,

Proceed as follows :-

*Step 1*

You are running through a Proxy server in IE, if you did not set that up itneeds to be reset, follow these instructions:

*Internet Explorer:*
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

*Firefox:*
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

*Chrome:*
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

*Safari*

 Launch Safari
 Go to general settings menu 
 Then in Preferences/ Advanced
 Then on line click Proxies change settings ...
 Click Internet Options, then click the Connections tab, click Network Settings.
 Disable option (uncheck) for the use of proxy server ...

*Step 2*

Please download *OTM by OldTimer*.
*Alternative Mirror* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Services
:Files
ipconfig /flushdns /c
:Commands
[EmptyTemp]
[ResetHosts] *
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

*Step 3*








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

What i`d like in your reply :-


 Log from OTM
 Log from Malwarebytes
 Update on system, issues/concerns?

Kevin


----------



## Kaljinyu (Jun 20, 2005)

I'll post my OTM log now, as the MalwareBytes log is going to take a while.

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Parent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Parent\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33664 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: Parent
->Temp folder emptied: 2816818 bytes
->Temporary Internet Files folder emptied: 757693115 bytes
->Java cache emptied: 16361947 bytes
->Flash cache emptied: 2835260 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 19250644 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 144528 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 764.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.17.2 log created on 02092011_164458

Files moved on Reboot...

Registry entries deleted on Reboot...


----------



## kevinf80 (Mar 21, 2006)

Are you running the quick scan for Malwarebytes? should only take between 5 and 15 minutes


----------



## Kaljinyu (Jun 20, 2005)

Ah. I accidentally selected Full Scan. Okay, hold on.


----------



## Kaljinyu (Jun 20, 2005)

Alright, Quick Scan is done. MalwareBytes Log here.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5725

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/9/2011 9:53:56 PM
mbam-log-2011-02-09 (21-53-56).txt

Scan type: Quick scan
Objects scanned: 134443
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## Kaljinyu (Jun 20, 2005)

Anyway, background searches are still going on, as well as search redirection. The current Hosts file doesn't seem to have any of those hijack sites listed in it anymore, so what's the problem?


----------



## kevinf80 (Mar 21, 2006)

*Please read carefully and follow these steps.*

Download *TDSSKiller* and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on *TDSSKiller.exe* to run the application, then on *Start Scan.*










If an infected file is detected, the default action will be *Cure*, click on *Continue.*










If a suspicious file is detected, the default action will be *Skip*, click on *Continue.*










It may ask you to reboot the computer to complete the process. Click on *Reboot Now*.










If no reboot is require, click on *Report*. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.

Kevin


----------



## Kaljinyu (Jun 20, 2005)

TDSSKiller isn't running, for some reason...


----------



## kevinf80 (Mar 21, 2006)

OK try the following :

Please download *Rkill* and save to your Desktop.

Double-click on the Rkill desktop icon to run the tool.
_If using Vista or Windows 7 right-click on it and Run As Administrator_.
A *black DOS box* will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use *Link 1* from the following list and so on in sequencial order until one runs successfully. 
*Link 1*

*Link 2*

*Link 3*

*Link 4*

*Link 5*

*Link 6*

A log pops up at the end of the run. This log file is also located at C:\rkill.log. Please post this log in your reply.
If you get an alert from your *own* Security Program, accept it and allow Rkill to run, it is very safe and will not harm your system.
If the alert is from the Infection Malware program (you`ll know by the name) leave the alert open and run the same Rkill version again. You may have to run it several times, it may take up to 9 to work.
If the tool does not run from any of the links provided, please let me know.

Try TDSSKiller again...


----------



## Kaljinyu (Jun 20, 2005)

I got a log on the first try, but I didn't notice the DOS box pop up. After I got the log, I tried running TDSSKiller again, but it didn't run. Task Manager showed that when I did click it, *iexplore.exe* started running.

Anyway, here's the log.

_This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish.

Rkill was run on 02/10/2011 at 15:36:33. 
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\runonce.exe

Rkill completed on 02/10/2011 at 15:37:43. 
_


----------



## kevinf80 (Mar 21, 2006)

Re-boot into safe mode, re- run RKill and then try TDSSKiller again


----------



## Kaljinyu (Jun 20, 2005)

Ran RKill in Safe Mode, and this time I did see the black DOS box. But it tried to to kill *rundll32.exe*, which restarted Safe Mode. It didn't reboot the computer, but it closed everything and brought me back to the "Windows is running in Safe Mode" message box that appears at the beginning of Safe Mode. I re-entered Safe Mode from there in the middle of RKill's run. Should I not have?

TDSSKiller still didn't run. Maybe TDSSKiller needs to run while Rundll32 isn't running.

Also, the websites and searches running in the background, they also play in the background if there's audio or video. Obviously this didn't happen in Safe Mode, but it does happen in Regular Mode, when Networking is still on. But it did try to search in the background while in Safe Mode. Not much happened. But I did get this address in my History:

http://213.174.149.100/c/A91447/552e18fe4127ab5218a40a34142c6589/M1/0

I've found addresses like this in my History recently, but only while in Safe Mode, which suggests that that IP might be tied to the background searches and websites that are going on.

Anyway, here's the new RKill log.

_This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish.

Rkill was run on 02/10/2011 at 16:27:35. 
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

C:\WINDOWS\System32\rundll32.exe

Rkill completed on 02/10/2011 at 16:28:44. 
_


----------



## kevinf80 (Mar 21, 2006)

OK re-boot into safe mode with networking,

Re-boot PC and continuously tap the F8 key until you see the Windows Advanced Menu, from the available options select *Safe Mode with Networking* Next,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

*Combofix*

Don`t forget *Combofix* must be saved to your desktop, do not save to or run from anywhere else. *<--Very important*

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:










Ensure you have *disabledyour Firewall and all anti virus and anti malware programs* so they do not interfere with the running of ComboFix. *<---Very important*

Please include the *C:\ComboFix.txt* in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

*Disable realtime protection*

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

If Combofix re-boots your system be on hand to force back into safe mode again, Post the log that is produced

Kevin


----------



## Kaljinyu (Jun 20, 2005)

Is it possible to schedule TDSSKiller immediately at boot, before any blocking malware can stop it?


----------



## kevinf80 (Mar 21, 2006)

We`ve cross posted, try CF as per instruction in #19


----------



## Kaljinyu (Jun 20, 2005)

Oh, just got your instructions. Alright, off to do that.


----------



## Kaljinyu (Jun 20, 2005)

In the meantime, I should let you know that something keeps turning on AutoComplete in my Internet Options/Settings. Also, I've restricted that IP in my Security settings.


----------



## kevinf80 (Mar 21, 2006)

OK lets see what Combofix shows up


----------



## Kaljinyu (Jun 20, 2005)

Finally got a chance to run ComboFix, not sure if the culprit is supposed to be found yet but I think it might be tied to this new malware going around since about 2 days ago. AntiVira Av, or Anti-Vira Av. It's from the Antivirus .NET malware family.

Anyway, here's the log.

_ComboFix 11-02-09.05 - Parent 02/10/2011 23:00:42.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1523 [GMT -5:00]
Running from: c:\documents and settings\Parent\Desktop\Gotcha.exe
AV: Total Protection Service *Enabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Parent\Recent\Thumbs.db
c:\windows\system\oeminfo.ini
c:\windows\system\WINSPOOL.DRV

c:\windows\system32\msgsvc.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))))
.

2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\documents and settings\Parent\Application Data\Malwarebytes
2011-02-09 22:01 . 2010-12-20 23:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-09 22:01 . 2010-12-20 23:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-02-09 18:49 . 2011-02-09 18:49	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2011-02-09 18:49 . 2011-02-09 18:49	--------	d-----w-	c:\documents and settings\Parent\Local Settings\Application Data\Help
2011-02-09 01:31 . 2011-02-09 01:31	1409	----a-w-	c:\windows\QTFont.for
2011-02-08 22:17 . 2011-02-08 22:17	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-02-08 19:51 . 2011-02-08 19:51	--------	d-sh--w-	c:\windows\system32\config\systemprofile\IETldCache
2011-02-07 19:52 . 2011-02-09 18:48	--------	d-----w-	c:\program files\WPORTAL
2011-02-07 19:48 . 2011-02-09 18:49	--------	d-----w-	c:\documents and settings\Parent\Application Data\DAEMON Tools Lite
2011-02-07 19:48 . 2011-02-07 19:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-02-05 06:23 . 2011-02-05 06:23	--------	d-----w-	c:\documents and settings\Parent\Application Data\WTablet
2011-02-05 06:23 . 2011-02-09 18:48	--------	d-----w-	c:\program files\Tablet
2011-02-04 17:03 . 2011-02-09 18:48	--------	d-----w-	c:\program files\Microsoft Silverlight
2011-01-15 08:13 . 2011-01-23 11:15	--------	d-----w-	c:\documents and settings\Parent\Application Data\BitTorrent
2011-01-14 20:24 . 2011-01-14 20:24	--------	d-sh--w-	c:\documents and settings\Parent\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2002-12-31 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-10 19523616]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.Exe" [2010-07-24 476480]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2010-07-24 476480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/18/2010 2:10 PM 184888]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [9/29/2010 11:43 AM 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [9/29/2010 11:43 AM 282824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/2002 7:00 AM 44800]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.k12.com
uInternet Settings,ProxyServer = http=127.0.0.1:18810
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTorrent - e:\programs - toolkits\BitTorrent\BitTorrent.exe
AddRemove-CamStudio - e:\camstudio\uninstall.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - e:\youtube downloader\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 23:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3428)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-02-10 23:40:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-11 04:40

Pre-Run: 133,060,952,064 bytes free
Post-Run: 133,627,408,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 63B7471E55990F0C2636349DD4F2E252
_


----------



## kevinf80 (Mar 21, 2006)

Hiya Kaljinyu

Proceed as follows please :-

*Step 1*

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::

SRPeek::
c:\windows\system32\msgsvc.dll
c:\windows\system32\drivers\tcpip.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:18810
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_Ac tiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
```
Save this as *CFScript.txt*, in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

*Step 2*

Re-open Malwarebytes, make sure to check for updates and run a quick scan. Deal with anything it finds.

Post the logs from Combofix and Malwarebytes in your reply.

Kevin


----------



## Kaljinyu (Jun 20, 2005)

Yikes, I just realized, McAfee Total Protection Service is still on, and has been on all this time. I thought I had disabled it, but I didn't. The applicable instructions weren't really available in that link that had the instructions. 

During that last ComboFix run I am positive it interfered and deleted one of ComboFix's files as a false positive. How do I turn it off?


----------



## Kaljinyu (Jun 20, 2005)

Alright, I think it's off. For real this time. Can we start again?


----------



## kevinf80 (Mar 21, 2006)

Can you run Combofix script as in post 26?


----------



## Kaljinyu (Jun 20, 2005)

I'm gonna run it later today. I can't run it right now. But I'll post the results.


----------



## kevinf80 (Mar 21, 2006)

OK Buddy, any time you`re ready....


----------



## Kaljinyu (Jun 20, 2005)

Okay, I _think_ Combofix ran without a hitch, there's a log, but I think the first time I ran Combofix, with Total Protection Service still on, something was interrupted.Combofix uses *CF7834.cfxxe* to run its script, right? Well my CF7834.cfxxe is still the one from when Total Protection Service is running.

Background searches and redirects are still going on, Maybe I should try running it in Safe Mode?

The folders C:\32788R22FWJFW and C:\Gotcha are just sitting there, along with CF7834.cfxxe. Logs coming up.


----------



## Kaljinyu (Jun 20, 2005)

Here's the *ComboFix* log. I didn't read it, but it looks old, and it didn't pop up at the end of the run. That also suggests that it's old.

_ComboFix 11-02-09.05 - Parent 02/10/2011 23:00:42.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1523 [GMT -5:00]
Running from: c:\documents and settings\Parent\Desktop\Gotcha.exe
AV: Total Protection Service *Enabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Parent\Recent\Thumbs.db
c:\windows\system\oeminfo.ini
c:\windows\system\WINSPOOL.DRV

c:\windows\system32\msgsvc.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))))
.

2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\documents and settings\Parent\Application Data\Malwarebytes
2011-02-09 22:01 . 2010-12-20 23:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-09 22:01 . 2010-12-20 23:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-02-09 18:49 . 2011-02-09 18:49	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2011-02-09 18:49 . 2011-02-09 18:49	--------	d-----w-	c:\documents and settings\Parent\Local Settings\Application Data\Help
2011-02-09 01:31 . 2011-02-09 01:31	1409	----a-w-	c:\windows\QTFont.for
2011-02-08 22:17 . 2011-02-08 22:17	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-02-08 19:51 . 2011-02-08 19:51	--------	d-sh--w-	c:\windows\system32\config\systemprofile\IETldCache
2011-02-07 19:52 . 2011-02-09 18:48	--------	d-----w-	c:\program files\WPORTAL
2011-02-07 19:48 . 2011-02-09 18:49	--------	d-----w-	c:\documents and settings\Parent\Application Data\DAEMON Tools Lite
2011-02-07 19:48 . 2011-02-07 19:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-02-05 06:23 . 2011-02-05 06:23	--------	d-----w-	c:\documents and settings\Parent\Application Data\WTablet
2011-02-05 06:23 . 2011-02-09 18:48	--------	d-----w-	c:\program files\Tablet
2011-02-04 17:03 . 2011-02-09 18:48	--------	d-----w-	c:\program files\Microsoft Silverlight
2011-01-15 08:13 . 2011-01-23 11:15	--------	d-----w-	c:\documents and settings\Parent\Application Data\BitTorrent
2011-01-14 20:24 . 2011-01-14 20:24	--------	d-sh--w-	c:\documents and settings\Parent\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2002-12-31 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-10 19523616]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.Exe" [2010-07-24 476480]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2010-07-24 476480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/18/2010 2:10 PM 184888]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [9/29/2010 11:43 AM 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [9/29/2010 11:43 AM 282824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/2002 7:00 AM 44800]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.k12.com
uInternet Settings,ProxyServer = http=127.0.0.1:18810
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTorrent - e:\programs - toolkits\BitTorrent\BitTorrent.exe
AddRemove-CamStudio - e:\camstudio\uninstall.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - e:\youtube downloader\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 23:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3428)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-02-10 23:40:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-11 04:40

Pre-Run: 133,060,952,064 bytes free
Post-Run: 133,627,408,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 63B7471E55990F0C2636349DD4F2E252
_


----------



## Kaljinyu (Jun 20, 2005)

Here's the MalwareBytes Quick Scan log.

_Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5725

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/12/2011 7:10:32 AM
mbam-log-2011-02-12 (07-10-32).txt

Scan type: Quick scan
Objects scanned: 141240
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_


----------



## Kaljinyu (Jun 20, 2005)

I just noticed a log called *Catchme.log*, did I already post that? Did you need that?


----------



## kevinf80 (Mar 21, 2006)

Hiya Kaljinyu,

Yep thats the log from the initial run of Combofix, proceed as follows please...

*Step 1*

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::

SRPeek::
c:\windows\system32\msgsvc.dll
c:\windows\system32\drivers\tcpip.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:18810
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_Ac tiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
```
Save this as *CFScript.txt*, in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

*Disable realtime protection*

*Step 2*

*Run ESET Online Scan*

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
*ESET OnlineScan*
Click the







button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on







to download the ESET Smart Installer. *Save* it to your desktop.
Double click on the







icon on your desktop.

Check








Click the







button.
Accept any security warnings from your browser.
Check








Leave the tick out of *remove found threats*
Push the *Start* button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push








Push







, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the







button.
Push








You can refer to *this animation* by *neomage* if needed.
Frequently asked questions available *Here* *Please read them before running the scan.*

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

Post the two logs in your reply please, also tell me if your system has improved

Kevin..


----------



## Kaljinyu (Jun 20, 2005)

It's been a while, sorry to hold up the project. I just ran ComboFix ("Gotcha") with the new script. The computer restarted, but no log popped up. I have yet to try ESET Online Scan.


----------



## kevinf80 (Mar 21, 2006)

The log should be here *C:\ComboFix.txt* I need to see that....


----------



## Kaljinyu (Jun 20, 2005)

Still old, I think. I didn't read it.

ComboFix 11-02-09.05 - Parent 02/10/2011 23:00:42.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1523 [GMT -5:00]
Running from: c:\documents and settings\Parent\Desktop\Gotcha.exe
AV: Total Protection Service *Enabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Parent\Recent\Thumbs.db
c:\windows\system\oeminfo.ini
c:\windows\system\WINSPOOL.DRV

c:\windows\system32\msgsvc.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))))
.

2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\documents and settings\Parent\Application Data\Malwarebytes
2011-02-09 22:01 . 2010-12-20 23:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-09 22:01 . 2010-12-20 23:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-02-09 22:01 . 2011-02-09 22:01	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-02-09 18:49 . 2011-02-09 18:49	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2011-02-09 18:49 . 2011-02-09 18:49	--------	d-----w-	c:\documents and settings\Parent\Local Settings\Application Data\Help
2011-02-09 01:31 . 2011-02-09 01:31	1409	----a-w-	c:\windows\QTFont.for
2011-02-08 22:17 . 2011-02-08 22:17	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-02-08 19:51 . 2011-02-08 19:51	--------	d-sh--w-	c:\windows\system32\config\systemprofile\IETldCache
2011-02-07 19:52 . 2011-02-09 18:48	--------	d-----w-	c:\program files\WPORTAL
2011-02-07 19:48 . 2011-02-09 18:49	--------	d-----w-	c:\documents and settings\Parent\Application Data\DAEMON Tools Lite
2011-02-07 19:48 . 2011-02-07 19:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-02-05 06:23 . 2011-02-05 06:23	--------	d-----w-	c:\documents and settings\Parent\Application Data\WTablet
2011-02-05 06:23 . 2011-02-09 18:48	--------	d-----w-	c:\program files\Tablet
2011-02-04 17:03 . 2011-02-09 18:48	--------	d-----w-	c:\program files\Microsoft Silverlight
2011-01-15 08:13 . 2011-01-23 11:15	--------	d-----w-	c:\documents and settings\Parent\Application Data\BitTorrent
2011-01-14 20:24 . 2011-01-14 20:24	--------	d-sh--w-	c:\documents and settings\Parent\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2002-12-31 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-10 19523616]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.Exe" [2010-07-24 476480]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2010-07-24 476480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/18/2010 2:10 PM 184888]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [9/29/2010 11:43 AM 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [9/29/2010 11:43 AM 282824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/2002 7:00 AM 44800]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.k12.com
uInternet Settings,ProxyServer = http=127.0.0.1:18810
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTorrent - e:\programs - toolkits\BitTorrent\BitTorrent.exe
AddRemove-CamStudio - e:\camstudio\uninstall.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - e:\youtube downloader\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 23:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3428)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-02-10 23:40:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-11 04:40

Pre-Run: 133,060,952,064 bytes free
Post-Run: 133,627,408,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 63B7471E55990F0C2636349DD4F2E252


----------



## kevinf80 (Mar 21, 2006)

That is the old log, need to see the latest one, should be here *C:\ComboFix.txt* there is also a folder *C:\Combofix* See if there are logs in there?


----------



## Kaljinyu (Jun 20, 2005)

Nope, that is the only ComboFix.txt log in the C: drive.

As for a ComfoFix folder, there isn't one. There is a Gotcha folder, but all it has is *CF7834.cfxxe*.


----------



## kevinf80 (Mar 21, 2006)

Run Combofix and ESET as instructed in post #36


----------



## Kaljinyu (Jun 20, 2005)

Again? But that's what I did, with the new script you gave me, and I never got a log. I'll try it as detailed in Post 36 again.


----------



## Kaljinyu (Jun 20, 2005)

No new log, still, for some reason.


----------



## kevinf80 (Mar 21, 2006)

mmm, very strange. OK delete Combofix (Gotcha) from your Desktop. From Normal mode download Combofix from either of these links and save to your *Desktop** that is very important * Do not re-name this time:-

*Link 1*
*Link 2*

Ensure you have *disabled your Firewall and all anti virus and anti malware programs* so they do not interfere with the running of ComboFix. *<---Very important*

*How to disable realtime protection*

Double click the Combox fix icon to run it, Windows 7 or Vista users right click and select "Run as Administrator" Run as before and post the log in your reply.

Next,

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
msgsvc.dll
tcpip.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

Post the two logs in your reply, also tell me what specific issues remain...

Kevin


----------



## Kaljinyu (Jun 20, 2005)

Before I do this, I just noticed, McAfee Total Protection Service turns back on when I restart my computer, is that bad?


----------



## kevinf80 (Mar 21, 2006)

yep, it will stop combofix dead in its tracks


----------



## Kaljinyu (Jun 20, 2005)

The problem is, I deactivate it when my computer is on, but when ComboFix restarts my computer, it's back on again. There's no way to stop that from happening?


----------



## kevinf80 (Mar 21, 2006)

Uninstall it....


----------



## Kaljinyu (Jun 20, 2005)

I guess it's my only choice. It was pontless and outdated anyway.

I'm gonna uninstall it. While I do that, I should point out that this malware is not only turning AutoComplete on in secret, but it's changing my sound scheme so that Windows Navigation Start (the little "click" noise) doesn't play when I click things.


----------



## kevinf80 (Mar 21, 2006)

Go *Here* and follow the instructions to completly remove McAfee from your system.

Run Combofix as previously instructed and post the log, try without renaming first.


----------



## Kaljinyu (Jun 20, 2005)

Should I delete the Gotcha folder in the C drive?


----------



## kevinf80 (Mar 21, 2006)

Just leave it for now


----------



## Kaljinyu (Jun 20, 2005)

But I do delete Gotcha (ComboFix) and download a new one, right?


----------



## kevinf80 (Mar 21, 2006)

That is correct, delete Gotcha from the Desktop, d/l a fresh copy of Combofix from either of the following links :-

*Link 1*
*Link 2*

Do not re-name it this time, turn off all security and run as you`ve done previously, post the log..


----------



## Kaljinyu (Jun 20, 2005)

I can't find McAfee on my Add/Remove programs list. Is it something that is only uninstallable by the Administrator? I'm gonna try that.


----------



## kevinf80 (Mar 21, 2006)

Go *Here* and download the McAfee removal tool, save it to your *Desktop*. Double click the tool to run it, Vista or Windows 7 users right click and select "Run as Administrator" re-boot when requested to complete the task.

McAfee gone?


----------



## Kaljinyu (Jun 20, 2005)

Alright, McAfee's gone. Getting ready to do the ComboFix run.


----------



## Kaljinyu (Jun 20, 2005)

Wait, should I do as instructed in Post 36, or 45?


----------



## kevinf80 (Mar 21, 2006)

As in post #55


----------



## Kaljinyu (Jun 20, 2005)

So download a new copy of Combofix, and then do what? Run as in Post 36, with the CFScript?


----------



## kevinf80 (Mar 21, 2006)

Run a new scan, no script. Download the new version to your Desktop, do not rename. Turn off all security.Double click the icon to run it. Post new log when finished


----------



## Kaljinyu (Jun 20, 2005)

It's been about two days so I've got some things to fill you in on...

I let ComboFix run, I got the legal disclaimer, and got up to the blue DOS window, and then I got a message box stating that *Volsnap.sys* had been patched with a rootkit, and that ComboFix was attempting to disinfect it. I clicked okay, and waited. Nothing happened for hours, so I kept waiting.

Eventually someone used the infected computer and I don't know what happened to the ComboFix DOS window. D= No new ComboFix log, but ComboFix did run, and it saved one of those ComboFix "directories" in the C drive.

Also, while I was gone, this computer got afflicted with the *System Tool* fake antivirus program malware. It's similar to that new *Antivira Av* thing going around. I deleted the program and the registry entries associated with it, and am not having any System Tool problems as far as I know. *Note: I still haven't solved this ClickFew/FindUpset thing, just saying that I got infected with something else, but solved it, as far as I know.*

Anyway, since then, I've noticed a change in my Boot Options. Don't know if it's of any consequence. Amongst Windows XP Professional and Windows Recovery Console, one of the options is *"do not select this [debugger enabled]"*. Is that related to the original malware problem? System Tool, which I assumed I got rid of, something else, or is it something safe that I need not worry about?


----------



## Kaljinyu (Jun 20, 2005)

Looked into it some more, looks like that additional Boot Option is an after effect of ComboFix. From what I can gather...


----------



## kevinf80 (Mar 21, 2006)

Its pointless me trying to help you if you are allowing others to just do as they please with your computer and become infected. 
Your best option is to re-format your HD and Re-install your operating system......


----------



## Kaljinyu (Jun 20, 2005)

I know, I'm sorry, but I can make sure no one else uses it, and System Tool I'm fairly certain is completely gone, so we're back to square one, right?

Is it really too late?


----------



## kevinf80 (Mar 21, 2006)

OK last chance, lets start from over. Delete any version of Combofix you have on your Desktop, dont worry about any files or folders that CF created previously, leave them intact.

Download a fresh copy of Combofix from any of the following links, save to your Desktop, turn off all security then double click the CF icon







to run it. Windows 7 or Vista users right click and select run as administrator.

*Link 1*
*Link 2*

Post the log in your reply, you`ve run Combofix previously so you know what to do.

Thanks,

Kevin


----------



## Kaljinyu (Jun 20, 2005)

Alright, locked up the computer in a "server room" of sorts so that no one will touch it. Started from scratch, like you said. Like before, I got the "Volsnap.sys is patched with a rootkit" message, I clicked okay, and let it run.

It's been running for about 4 hours now. I'm on a different computer typing this.


----------



## kevinf80 (Mar 21, 2006)

Four hours is a long time for a cf run, has it hung up?


----------



## Kaljinyu (Jun 20, 2005)

I don't know if it's hung up, it just looks like a blue DOS window. It doesn't move.


----------



## kevinf80 (Mar 21, 2006)

Give it another 30 minutes, if no change power off and reboot. See if it produces a log,


----------



## Kaljinyu (Jun 20, 2005)

Alright, 30 more minutes.


----------



## kevinf80 (Mar 21, 2006)

OK let me know what happens


----------



## Kaljinyu (Jun 20, 2005)

It didn't stop, so I rebooted. No log. Frown...


----------



## kevinf80 (Mar 21, 2006)

OK, last try. Give Combofix a try from Safe Mode with Networking, you`ve had the instructions previously


----------



## Kaljinyu (Jun 20, 2005)

Last try? I'm nervous. Fingers crossed, let's hope something happens...


----------



## Kaljinyu (Jun 20, 2005)

Hold on, I haven't done it yet, but you should know that right now I'm not getting redirected on Google. And I'm not noticing any background searches right now either. Should I still run it? I was having the problems a few hours ago, and they suddenly disappeared. That doesn't mean they're gone though.


----------



## kevinf80 (Mar 21, 2006)

Hiya Kaljinyu,

I`m not sure why the re-directs have stopped, I`d still run Combofix and post the log.

Kevin


----------



## Kaljinyu (Jun 20, 2005)

Sorry for the delay of several days. Log is here. Still no problems with re-directing.

_ComboFix 11-03-16.03 - Parent 03/17/2011 7:42.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1546 [GMT -5:00]
Running from: c:\documents and settings\Parent\Desktop\ComboFix.exe
AV: Total Protection Service *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Shared
c:\program files\Shared\shared.sig
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected 
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll 
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected 
Restored copy from - Kitty had a snack  
.
((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))
.
.
2011-03-15 21:14 . 2011-03-15 21:14	--------	d-----w-	c:\documents and settings\LocalService\Application Data\McAfee
2011-03-06 21:18 . 2011-03-06 21:18	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-03-06 21:13 . 2011-03-15 21:14	--------	d-----w-	c:\program files\McAfee Security Scan
2011-03-06 21:13 . 2011-03-06 21:13	--------	d-----w-	c:\documents and settings\All Users\Application Data\McAfee
2011-03-06 21:13 . 2011-03-06 21:13	--------	d-----w-	c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-03-06 21:12 . 2011-03-06 21:12	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-03-06 21:12 . 2011-03-06 21:13	--------	d-----w-	c:\documents and settings\Parent\Local Settings\Application Data\Google
2011-03-06 21:12 . 2011-03-06 21:12	--------	d-----w-	c:\program files\Google
2011-03-05 08:51 . 2011-03-05 08:52	--------	d-----w-	C:\OutputFolder
2011-03-04 02:23 . 2011-03-04 12:37	--------	d-----w-	c:\documents and settings\Parent\Application Data\.minecraft
2011-02-23 19:57 . 2011-02-23 19:57	1409	----a-w-	c:\windows\QTFont.for
2011-02-23 19:11 . 2009-05-10 20:18	203576	----a-w-	c:\windows\system32\RICHTX32.OCX
2011-02-23 09:00 . 2011-02-23 09:00	--------	d-----w-	c:\program files\Veoh Networks
2011-02-19 17:50 . 2011-02-19 17:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\cInGdIh06504
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2011-02-09 22:01	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-02-09 22:01	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
.
[-] 2002-12-31 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_04.26.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-17 12:50 . 2011-03-17 12:50	16384 c:\windows\temp\Perflib_Perfdata_698.dat
+ 2009-05-11 02:11 . 2009-05-11 02:11	40960 c:\windows\system32\vbCrypt.dll
+ 2002-12-31 12:00 . 2011-03-17 12:42	40836 c:\windows\system32\perfc009.dat
+ 2010-06-18 22:49 . 2011-02-19 18:16	32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-18 22:49 . 2011-02-11 04:24	32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-18 22:49 . 2011-02-11 04:24	16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-18 22:49 . 2011-02-19 18:16	16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-18 22:49 . 2011-02-19 18:16	16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-06-18 22:49 . 2011-02-11 04:24	16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-03-06 21:13 . 2011-03-06 21:13	21504 c:\windows\Installer\183ad558.msi
+ 2011-03-06 21:12 . 2011-03-06 21:12	24064 c:\windows\Installer\183ad54e.msi
+ 2002-12-31 12:00 . 2011-03-17 12:42	314508 c:\windows\system32\perfh009.dat
+ 2009-08-07 00:23 . 2009-08-07 00:23	215904 c:\windows\system32\muweb.dll
+ 2011-03-06 03:57 . 2011-03-06 03:57	234656 c:\windows\system32\Macromed\Flash\FlashUtil10n_ActiveX.exe
+ 2011-03-06 03:57 . 2011-03-06 03:57	311456 c:\windows\system32\Macromed\Flash\FlashUtil10n_ActiveX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-10 19523616]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Parent\\Desktop\\Jordan's Files (to be saved and moved later)\\Server\\Server.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/18/2010 2:10 PM 184888]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/2002 7:00 AM 44800]
S2 EngineServer;EngineServer;"c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe" --> c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 4:12 PM 136176]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe" /ServiceStart --> c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 21:12]
.
2011-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 21:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.k12.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-McAfee Managed Services Tray - c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.Exe
HKLM-Run-MVS Splash - c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 07:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-17 07:51:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-17 12:51
ComboFix2.txt 2011-02-11 04:40
.
Pre-Run: 136,033,665,024 bytes free
Post-Run: 136,803,123,200 bytes free
.
- - End Of File - - E667ADA32AE91D12E48BEF93B25A8774
_


----------



## kevinf80 (Mar 21, 2006)

I see Combofix was busy again, you seem to pick up infections very easily... run the following :-

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
tcpip.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## Kaljinyu (Jun 20, 2005)

Here's the SystemLook log.

SystemLook 04.09.10 by jpshortstuff
Log created at 01:27 on 23/03/2011 by Parent
Administrator - Elevation successful

========== filefind ==========

Searching for "tcpip.sys"
C:\WINDOWS\system32\drivers\tcpip.sys	--a---- 361344 bytes	[12:00 31/12/2002]	[12:00 31/12/2002] ACCF5A9A1FFAA490F33DBA1C632B95E1

-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

OK lets have that file checked out at VirusTotal

*Upload a File to Virustotal*
Please visit *Virustotal*

 Click the *Browse...* button
 Navigate to the file *C:\WINDOWS\system32\drivers\tcpip.sys*
 Click the *Open* button
 Click the *Send* button
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.


----------



## Kaljinyu (Jun 20, 2005)

I got a File already submitted message at the finish screen. Do I click Reanalyze, or was I waiting for a different message? Here's the results so far.

_MD5: accf5a9a1ffaa490f33dba1c632b95e1 
Date first seen: 2009-02-18 01:25:58 (UTC) 
Date last seen: 2011-03-23 19:35:47 (UTC) 
Detection ratio: 0/41 
_


----------



## Kaljinyu (Jun 20, 2005)

Here's the reanalysis.

_File name: tcpip.sys
Submission date: 2011-03-23 19:40:45 (UTC)
Current status: queued queued analysing finished

Result: 0/ 42 (0.0%)
_


----------



## kevinf80 (Mar 21, 2006)

How is your system responding, any issues?


----------



## Kaljinyu (Jun 20, 2005)

Everything is super smooth, no problems at all.


----------



## kevinf80 (Mar 21, 2006)

Hiya Kaljinyu,

As follows please,

*Step 1*

Remove Combofix now that we're done with it

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")









 Please follow the prompts to uninstall Combofix.
 You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:

 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:_OtMoveIt folder, if present
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Reset System Restore.

*Step 2*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7, please right-click and choose run as administrator
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.

*Step 3*

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. 
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. 
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 24.


 Go to *Sun Java*
 Select *Windows 7/XP/Vista/2000/2003/2008* If using 64 bit OS Select *Information about the 64-bit Java plug-in* and follow prompts
 Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
 Reboot your computer

*Step 4*

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

Please go to the link below to update.

*Adobe Reader* Untick the Free McAfee® Security Scan Plus

*Step 5*

*Download and scan with * *CCleaner*

1. Use either one of the two free links below the Premium version.
2. Before first use, *select Options > Advanced and UNCHECK* "*Only delete files in Windows Temp folder older than 24 hours*"
3. Then select the items you wish to clean up.

*In the Windows Tab*:


 * Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.* 
 *Clean all the entries in the "Windows Explorer" section.*
 *Clean all entries in the "System" section.* 
 *Clean all entries in the "Advanced" section.* 
 *Clean any others that you choose.*

*In the Applications Tab*: 

 *Clean all except cookies in the Firefox/Mozilla section if you use it.*
 *Clean all in the Opera section if you use it.* 
 *Clean Sun Java in the Internet Section.* 
 *Clean any others that you choose.*
 *Make sure "Wipe free space" is unticked, this will dramatically increase scan time if selected.* 

4. Click the "*Run Cleaner*" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "*OK*" and it will scan and clean your system.
7. Click "*exit*" when done.

Let me know if the above steps completed OK, also if any remaining issue...

Kevin


----------



## Kaljinyu (Jun 20, 2005)

Okay, it's finally all done. Everything went off without a hitch, no other issues remain.


----------



## kevinf80 (Mar 21, 2006)

OK thanks for coming back and letting us know, i`ll mark this one as resolved...

Kevin


----------



## Kaljinyu (Jun 20, 2005)

Yep, resolved. Problem resolved, nothing more to see here except maybe people looking for solutions.


----------



## kevinf80 (Mar 21, 2006)

Yep, that`s why we`re here!


----------

