Solved

Can't access Microsoft, Symantec and others. Links get redirected. Virus! Help:).

Posted on 2011-02-22
24
1,204 Views
Last Modified: 2016-12-08
hi guys

i believe i have a virus on my system, as all of the links I try to click on in google they send me to other web pages; one which is called hugosearch. I can't access Microsoft.com or Symantec or malware sites.

I have run malwarebytes and it found nothing, comodo was running and it found nothing either; although both did find things a few days ago and deleted them, now nothing but problem is on going.

There is a folder C:\Program Files\cbgrwsqt which I tried deleting but it says I can't due to the directory not being empty!

Any help would be great chaps.

I've got my hijack list log here:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:23:32, on 22/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Atlassian\JIRA 4.1.2\bin\tomcat6.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\cbgrwsqt\khuehsak.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [Hercules DJ Series] C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe /boot
O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
O16 - DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} (P3DActiveX Control) - http://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Atlassian JIRA 4.1.2 6 (Tomcat6) - Apache Software Foundation - C:\Program Files\Atlassian\JIRA 4.1.2\bin\tomcat6.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11561 bytes

0
Comment
Question by:Yashy
  • 8
  • 4
  • 3
  • +4
24 Comments
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 125 total points
ID: 34956757
0
 
LVL 3

Expert Comment

by:Roshan_c
ID: 34958530
disable DNS client service, flush out dns, and try to access the website. and search for spyware removal tools.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34959092
Your HJT log appears to be clean.

It sounds like your hosts file has been hijacked. Often a virus will lock the hijacked hosts file to stop you from editing it.
I helped another questioner with exactly this problem last week:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26804419.html

Try the proceedure outlined in the link above. Ie: download Hostsxpert and try to reset your hosts file to Ms defaults.
For XP, the path to the hosts file is:

c:\windows\system32\drivers\etc\hosts

If it is not there, try typing the following into a run box (start - run)

notepad c:\windows\system32\drivers\etc\hosts

Does your hosts file appear?  If it does, try to edit it.  If you cannot, it is locked by malware.
0
 
LVL 3

Expert Comment

by:Roshan_c
ID: 34959319
Disable DNS client, check the browsing.

update windows and Antivirus
0
 
LVL 1

Author Comment

by:Yashy
ID: 34960371
I'm going to do all of the above guys, when I get back home tonight.

However, regarding the hosts file, no it was not locked. It was in the C:\windows\system32\drivers\etc and it wasn't locked, I could open it up and there was no entry other than the 127.0.0.1.

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34960519
As you've only the one entry in the hosts file, & it looks good, you may well have an infection that requires removal by ComboFix.  
Therefore, if unresolved after running the other scanners, try running ComboFix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using CF please disable any realtime Anti-virus, Anti-spyware, or Shields that you may have running, and particularly AVG or CA Internet Security Suite if installed.

It may also be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  
If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine.
You can try this key combination to reach a Run box >>
Windows Logo+R: Run dialog box

Double click "combofix.exe"(or the renamed ComboFix.exe) and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log here please.
Do not mouseclick Combofix's window while it is running, because it may stall.  
ComboFix must be run in normal mode.

Should you need it>   A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34963083
In a previous experience, I had to use a tool called IceSword to view the locked, hidden files of a malware infection.  The others wouldn't allow me access to the file.  If you can't access C:\Program Files\cbgrwsqt, try running IceSword, you can find it here: http://majorgeeks.com/Icesword_d5199.html.   If you are not comfortable with it, GMER is similar to IceSword and it's been a great help too, http://www.gmer.net and it has more documentation with it as well.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34963616
I would still try resetting your hosts file with Hostxpert.  Or try a defensive hosts file such as this:

http://www.mvps.org/winhelp2002/hosts.htm

TDSSKiller (suggested above) is often good at fixing redirects.  If you follow Jonvee's advice to run Combofix, ploease post the log here for review.
0
 
LVL 1

Author Comment

by:Yashy
ID: 34965313
Guys, here is the combofix log:

ComboFix 11-02-23.05 - Administrator 23/02/2011  21:44:39.1.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2357 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: COMODO Antivirus *Enabled/Outdated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
      /wow section - STAGE 25
The system cannot find the path specified.
@DO was unexpected at this time.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\Adobe\plugs
C:\install.exe
c:\windows\system32\_000120_.tmp.dll
c:\windows\system32\_000122_.tmp.dll
c:\windows\system32\_000123_.tmp.dll
c:\windows\system32\_000124_.tmp.dll
c:\windows\system32\_000125_.tmp.dll
c:\windows\system32\_000126_.tmp.dll
c:\windows\system32\_000127_.tmp.dll
c:\windows\system32\_000128_.tmp.dll
c:\windows\system32\_000129_.tmp.dll
c:\windows\system32\_000130_.tmp.dll
c:\windows\system32\_000131_.tmp.dll
E:\autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2011-01-23 to 2011-02-23  )))))))))))))))))))))))))))))))
.

2011-02-23 20:00 . 2011-02-23 21:39      151479      ----a-w-      c:\program files\Mozilla Firefox\firefoxmgr.exe
2011-02-16 23:47 . 2011-02-19 19:14      151479      ----a-w-      c:\windows\system32\RUNDLL32mgr.exe
2011-02-16 23:47 . 2011-02-20 23:30      151479      ----a-w-      c:\windows\RTHDCPLmgr.exe
2011-02-16 20:15 . 2011-02-17 07:28      151479      ----a-w-      c:\windows\Explorermgr.exe
2011-02-15 21:59 . 2011-02-15 21:59      --------      d-----w-      c:\program files\Perfect Uninstaller
2011-02-15 21:24 . 2011-02-23 21:53      --------      d-----w-      c:\program files\cbgrwsqt
2011-02-15 20:43 . 2011-02-15 20:43      --------      d-----w-      C:\Adobe
2011-02-14 21:08 . 2011-02-14 21:08      --------      d-sh--w-      c:\documents and settings\LocalService\IETldCache
2011-02-14 20:43 . 2011-02-14 20:44      --------      d-----w-      c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-08 14:36 . 2011-02-20 11:18      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Eqvu
2011-02-07 07:31 . 2011-02-19 19:02      --------      d-----w-      c:\program files\BearShare
2011-02-06 21:47 . 2011-02-06 21:56      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\{4B337C2B-E6F0-4B28-98E9-248E1772D7EA}
2011-02-06 21:47 . 2011-02-06 21:47      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\PackageAware
2011-02-06 21:45 . 2011-02-06 23:02      --------      d-----w-      c:\documents and settings\All Users\Application Data\jDaFiJb09000
2011-02-06 12:16 . 2011-02-10 21:00      --------      d-----w-      c:\program files\ASIO4ALL v2
2011-02-06 10:43 . 2005-06-04 09:09      72704      ----a-w-      c:\windows\system32\ra3228_8.dll
2011-02-06 10:43 . 2005-06-04 09:09      21504      ----a-w-      c:\windows\system32\ra32dnet.dll
2011-02-06 10:43 . 2005-06-04 09:08      87040      ----a-w-      c:\windows\system32\ra32sipr.dll
2011-02-06 10:43 . 2005-06-04 09:08      487936      ----a-w-      c:\windows\system32\rmbe3260.dll
2011-02-06 10:43 . 2005-06-04 09:08      487424      ----a-w-      c:\windows\system32\msvcp70.dll
2011-02-06 10:43 . 2005-06-04 09:09      130560      ----a-w-      c:\windows\system32\pnc3250.dll
2011-02-06 10:43 . 2005-06-04 09:09      131072      ----a-w-      c:\windows\system32\pneng50.dll
2011-02-06 10:43 . 2005-06-04 09:09      352768      ----a-w-      c:\windows\system32\pngu3263.dll
2011-02-06 10:43 . 2005-06-04 09:09      81920      ----a-w-      c:\windows\system32\ra3214_4.dll
2011-02-06 10:43 . 2005-06-04 09:08      344064      ----a-w-      c:\windows\system32\msvcr70.dll
2011-02-06 10:43 . 2005-06-04 09:11      85504      ----a-w-      c:\windows\system32\encdnet.dll
2011-02-06 10:43 . 2005-06-04 09:09      61952      ----a-w-      c:\windows\system32\decdnet.dll
2011-02-06 10:39 . 2011-02-20 12:31      --------      d-----w-      c:\program files\Syncrosoft
2011-02-06 02:22 . 2011-02-06 02:22      --------      d-----w-      c:\windows\system32\wbem\Repository
2011-02-06 01:59 . 2008-05-19 06:43      25328      ----a-w-      c:\windows\_000121_.tmp.dll
2011-02-06 01:58 . 2008-07-22 08:01      151592      ----a-w-      c:\windows\system32\drivers\mv61xx.sys
2011-02-06 01:58 . 2004-11-26 12:16      225280      ----a-w-      c:\windows\system32\ReWire.dll
2011-02-06 01:58 . 2004-05-11 00:58      147456      ----a-w-      c:\windows\system32\SynsoLChk.dll
2011-02-06 01:57 . 2011-02-05 17:21      709456      ----a-w-      c:\windows\is-JJA56.exe
2011-02-06 01:57 . 2005-02-01 04:34      700416      ----a-w-      c:\windows\system32\SYNSOACC.dll
2011-02-06 01:57 . 2003-06-13 03:22      290816      ----a-w-      c:\windows\system32\SynsoNos.dll
2011-02-06 01:57 . 2002-11-25 17:36      45056      ----a-w-      c:\windows\system32\Synsopos.exe
2011-02-06 01:57 . 2002-11-25 14:46      16896      ----a-w-      c:\windows\system32\drivers\synasUSB.sys
2011-02-06 01:57 . 2001-04-09 14:03      17784      ----a-w-      c:\windows\system32\drivers\NSynas32.sys
2011-02-06 01:57 . 2011-02-06 02:00      --------      d-----w-      C:\ErdUndoCache
2011-02-02 23:08 . 2005-05-09 20:08      33792      ----a-w-      c:\windows\system32\drivers\cledx.sys
2011-02-02 20:53 . 2011-02-02 20:53      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\COMODO
2011-01-30 10:11 . 2011-02-05 20:05      --------      d-----w-      c:\documents and settings\NetworkService\Application Data\VMware
2011-01-29 11:06 . 2010-04-03 18:51      47456      ----a-w-      c:\windows\system32\perf-MSSQL10_50.SQLEXPRESS-sqlagtctr.dll
2011-01-29 11:04 . 2010-04-03 18:51      73568      ----a-w-      c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.50.1600.1.dll
2011-01-29 11:00 . 2011-01-29 11:00      --------      d-----w-      c:\windows\system32\RsFx
2011-01-29 10:59 . 2011-01-29 10:59      --------      d-----w-      c:\program files\Microsoft Visual Studio 9.0
2011-01-29 10:50 . 2011-01-29 10:50      --------      d-----w-      c:\program files\Microsoft WebMatrix
2011-01-29 10:48 . 2011-01-29 10:49      --------      d-----w-      c:\program files\IIS
2011-01-29 10:43 . 2011-01-29 11:00      --------      d-----w-      c:\program files\Microsoft SQL Server
2011-01-29 10:41 . 2011-01-29 10:51      --------      d-----w-      c:\program files\IIS Express
2011-01-29 10:41 . 2011-01-29 10:44      --------      d-----w-      c:\program files\Microsoft SQL Server Compact Edition
2011-01-29 10:28 . 2011-01-29 10:51      --------      d-----w-      c:\program files\Microsoft ASP.NET
2011-01-29 10:18 . 2011-01-29 10:18      --------      d-----w-      c:\program files\Microsoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-05 15:47 . 2009-08-18 04:23      196608      ----a-w-      c:\windows\system32\drivers\nStandard.bin
2011-01-21 14:44 . 2004-08-04 12:00      439296      ----a-w-      c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00      290048      ----a-w-      c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00      1854976      ----a-w-      c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 12:00      301568      ----a-w-      c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 12:00      43520      ----a-w-      c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 12:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2009-09-10 17:16      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2009-09-10 17:16      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 12:00      730112      ----a-w-      c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 12:00      385024      ----a-w-      c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-04 12:00      718336      ----a-w-      c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 12:00      33280      ----a-w-      c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-04 12:00      2148864      ----a-w-      c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59      2027008      ----a-w-      c:\windows\system32\ntkrnlpa.exe
2010-12-04 19:07 . 2010-12-04 19:07      163232      ----a-w-      c:\windows\system32\drivers\afcdp.sys
2010-12-04 19:07 . 2010-12-04 19:07      752128      ----a-w-      c:\windows\system32\drivers\tdrpm273.sys
2010-12-04 19:06 . 2010-12-04 19:06      600928      ----a-w-      c:\windows\system32\drivers\timntr.sys
2010-12-04 19:05 . 2010-12-04 19:05      170464      ----a-w-      c:\windows\system32\drivers\snapman.sys
2009-07-14 00:16 . 2009-07-14 00:16      1200551      ----a-w-      c:\program files\mozilla firefox\plugins\libdivx.dll
2009-08-09 00:11 . 2009-08-09 00:11      10437264      ----a-w-      c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-08-09 00:30 . 2009-08-09 00:30      107760      ----a-w-      c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2009-07-14 00:16 . 2009-07-14 00:16      356887      ----a-w-      c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-05 136176]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-06-03 6119378]
"GamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 537015]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-12-24 1800464]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-07 198160]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-05-20 129584]
"Hercules DJ Series"="c:\program files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe" [2010-02-03 918824]
"SAOB Monitor"="c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-09-02 2536440]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-09-08 5479424]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-09-08 390736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-12-6 730454]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2010-6-6 492032]
NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2009-3-25 1503290]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-9-27 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\cbgrwsqt\khuehsak.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20      57344      ------r-      c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2009-12-24 11:24      1800464      ------w-      c:\program files\COMODO\COMODO Internet Security\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-04-19 05:26      7700480      ----a-w-      c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-04-19 05:26      86016      ----a-w-      c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-04-19 05:26      1626112      ----a-w-      c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-03 08:51      16876032      ------r-      c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-09 09:52      321328      ------w-      c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [06/02/2011 01:58 151592]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05/12/2009 22:22 691696]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [04/12/2010 19:07 752128]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [21/08/2009 16:54 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [21/08/2009 16:54 25160]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [27/06/2008 16:50 61424]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [04/12/2010 19:07 3975088]
R2 Tomcat6;Atlassian JIRA 4.1.2 6;c:\program files\Atlassian\JIRA 4.1.2\bin\tomcat6.exe [11/09/2010 17:15 213416]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [20/05/2010 23:56 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [20/05/2010 22:40 539184]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [04/12/2010 19:07 163232]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [29/08/2003 08:30 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [22/07/2003 13:07 403968]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [28/09/2009 08:44 17149]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [01/10/2008 15:45 57440]
R3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [14/01/2009 01:23 458752]
S3 Bulk;HDJBulk;c:\windows\system32\drivers\HDJBulk.sys [04/10/2010 21:19 135936]
S3 HDJAsioK;HDJAsioK;c:\windows\system32\drivers\HDJAsioK.sys [04/10/2010 21:20 186752]
S3 HDJMidi;Hercules DJ Console Rmx MIDI;c:\windows\system32\drivers\HDJMidi.sys [04/10/2010 21:20 156800]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [27/02/2008 10:54 360547]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 17:07 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
.
Contents of the 'Scheduled Tasks' folder

2011-02-23 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-04-23 15:24]

2011-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1659004503-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-05 02:09]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1659004503-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-05 02:09]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uk0zmsik.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-H2O - c:\program files\SyncroSoft\Pos\H2O\cledx.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-23 21:53
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  


c:\documents and settings\Administrator\Start Menu\Programs\Startup\khuehsak.exe 151479 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1659004503-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,b5,6b,6e,31,89,f0,41,b1,1b,b5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,b5,6b,6e,31,89,f0,41,b1,1b,b5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-23  21:55:11
ComboFix-quarantined-files.txt  2011-02-23 21:55

Pre-Run: 37,404,573,696 bytes free
Post-Run: 38,555,648,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BBE2055C43DF3FCA5E0455E87FD30CD2
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34965511
@ Yashy,
From your CF log file you can see the "Other Deletions" list where a number of infections have been deleted.
Are you now able to access Microsoft, Symantec and the other sites?

@ Melannk24,
GMER is contained within ComboFix.  You can see a reference near the bottom of the log file.  :)
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
0
 
LVL 1

Author Comment

by:Yashy
ID: 34965537
Hey Jonvee

No, I still can't access any 'decent' website like Microsoft or Kaspersky or Symantec. I can't even get onto gmer.net!

Should I restart the PC?

Also, I have tried disabling DNS but still doesn't work. What setting inside of the registry would cause websites to be blocked? If we could find those entries in there, maybe we can fix it.

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34965666
Someone needs to study the contents of the ComboFix logfile to see if writing a small script can now correct the problem. As much as i would like to try, i have to logoff shortly for 3 or 4 days.

Restarting the computer should be okay, and even re-running ComboFix for a second time.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 22

Expert Comment

by:optoma
ID: 34965679
This file dosn't look good from a quick glance>
c:\documents and settings\Administrator\Start Menu\Programs\Startup\khuehsak.exe

>1. Open Notepad
2. Copy + paste all bolded text only between lines below into Notepad window
==================================================
File::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\khuehsak.exe




==================================================
3. Now Save as CFScript.txt on your desktop/same location as Combofix.exe
4. Then drag the CFScript.txt into ComboFix.exe
0
 
LVL 22

Expert Comment

by:optoma
ID: 34965728
there appears to be a few more suspect entries but see how that works first
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 34965934
0
 
LVL 1

Author Comment

by:Yashy
ID: 34967784
Here's what TDSSkiller found:

2011/02/24 07:28:08.0750 2716      Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/02/24 07:28:08.0750 2716      sptd - detected Locked file (1)

What is that file?
0
 
LVL 1

Author Comment

by:Yashy
ID: 34969125
I ended up deleting this particular file, with TDSSKIiller, but haven't rebooted machine yet.

Would somethig in the sptd.sys file ever cause this problem?

0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34970262
@ Jonvee, thanks for the information on Combofix.  I didn't realize that GMER was included.  Very cool.  :-)
0
 
LVL 1

Author Comment

by:Yashy
ID: 34972417
Guys, when I do a ping to www.microsoft.com, kaspersky.com, symantec.com, it comes back to 127.0.0.1. However, I have no entries in my hosts file! How can that be?
0
 
LVL 1

Author Comment

by:Yashy
ID: 34988896
Peeps, apparently I have a rootkit virus! I installed an antivirus Avira on here and it noticed that it was a Win32.ramnit.c which is supposed to be a rootkit. I think I have no choice chaps but to completely reformat and install again.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 125 total points
ID: 34989467
Sorry to hear that. Ramnit is a file infector, like Virut and Sality. Once it gets established, it infects system files quicker than you can replace them:

http://www.windowsbbs.com/malware-virus-removal/95756-not-curable-ramnit-virus-cant-open-programs.html

File infectors like Ramnit are one of the few times I would recommend a format and reinstall.
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 125 total points
ID: 35001343
Finally able to take another look at your CF log file and i agree with phototropic that probably the best course of action is a format and reload.  Your log shows a considerable amount of  infection, and some entries may be very difficult to remove!  Having said that, if you haven't yet formatted and would like to try another CF script, please run the following:


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
=========================================================

File::
C:\WINDOWS\boqnrwdmwsk.dll
c:\program files\cbgrwsqt
c:\windows\_000121_.tmp.dll
c:\windows\is-JJA56.exe
c:\program files\cbgrwsqt\khuehsak.exe
c:\windows\system32\RsFx

Folder::
c:\windows\system32\RsFx

==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & remove the bad files.
5. Finally, please attach the new CF logfile.

If you've already formatted, we would appreciate a brief update especially if you're still having problems ... thanks.
0
 
LVL 3

Assisted Solution

by:Roshan_c
Roshan_c earned 125 total points
ID: 35004216
I suggest before formatting give a try with this Rootkit Buster All from Trend


http://goo.gl/a3EXR
0
 
LVL 1

Author Comment

by:Yashy
ID: 35008980
guys, I've been at this since the weekend and it took my wind out. I tried everything and still the system was infected. In the end, I had to entirely reformat the system.

I backed up some important docs and that's it; reformatted. However, for my anti-virus/firewall I ended up installing BitDefender which was a gem as it identified the Win32.ramnit.c rootkit virus on the newly formatted system, I think that couuld have been due to my external USB drive picking up the virus also. At the moment, I think I'm in the clear, but I am going to take all of your bits of advice and harness it for later just in case. Combofix tried but sadly couldn't do anymore.

I didn't realise how bad rootkits like the Ramnit are! Much appreciate all of your help...everybody.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
.locky virus 5 38
Cleaned Windows 7 laptop still very sluggish 34 79
Anti Malware HKCU\software\askpartnernetwork 1 80
Virus Kronos 4 69
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now