Help! Firefox being redirected

william23 · Joined: Nov 24, 2008 Posts: 22

I am running a Lenovo IdeadPAD s10 with XP home and I am using firefox as my browser. When i click on a result from a google search, my browser is being redirected. I ran avg anti virus and adaware lavasoft but neither program found any malware. I also ran MalewareBytes anti maleware but it didnt find anything either. Here is my Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:18 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
d:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\Energy Management\utility.exe
C:\Program Files\Lenovo\Energy Management\Energy Management.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Documents and Settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\WINDOWS\system32\spider.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Documents and Settings\william netbook\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\Energy Management\utility.exe
O4 - HKLM\..\Run: [Energy Management] C:\Program Files\Lenovo\Energy Management\Energy Management.exe
O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "d:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O20 - AppInit_DLLs: avgrsstx.dll qrlifm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5665 bytes

thanks for the help

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Viewpoint

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

1. Download combofix at http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe or http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

william23 · Joined: Nov 24, 2008 Posts: 22

Thanks for the help
here is the goored log

GooredFix v1.5 by jpshortstuff
Log created at 13:11 on 20/12/2008 running Option #1

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{F6B71769-E66B-485D-9BC6-850C6F716F42}"="C:\Documents and Settings\william netbook\Local Settings\Application Data\{F6B71769-E66B-485D-9BC6-850C6F716F42}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{F6B71769-E66B-485D-9BC6-850C6F716F42}"="C:\Documents and Settings\william netbook\Local Settings\Application Data\{F6B71769-E66B-485D-9BC6-850C6F716F42}"

HERE IS THE COMBO FIX LOG
ComboFix 08-12-20.01 - william netbook 2008-12-20 13:16:46.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.840 [GMT -5:00]
Running from: c:\documents and settings\william netbook\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\FT62

.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-20 07:35 . 2007-06-28 14:36 401,720 --a------ C:\HijackThis.exe
2008-12-13 13:46 . 2008-12-13 13:46 286,720 --------- c:\windows\Setup1.exe
2008-12-13 13:45 . 2008-12-13 13:46 73,216 --a------ c:\windows\ST6UNST.EXE
2008-12-13 13:45 . 2008-12-13 13:45 303 --a------ c:\windows\ST6UNST.000
2008-12-13 09:54 . 2008-12-13 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-13 09:53 . 2008-12-13 09:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 08:37 . 2008-12-07 08:37 59 --a------ c:\windows\WININIT.INI
2008-12-07 08:35 . 2008-12-07 08:35 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-06 08:23 . 2008-12-06 08:23 <DIR> d-------- c:\documents and settings\william netbook\Application Data\TotalRecorder
2008-12-06 08:06 . 2008-04-17 01:34 119,448 --a------ c:\windows\system32\drivers\TotRec7.sys
2008-12-06 08:06 . 2008-05-15 12:20 106,496 --a------ c:\windows\system32\DrvTrNTl.dll
2008-12-06 08:06 . 2008-05-16 07:16 59,032 --a------ c:\windows\system32\DrvTrNTm.dll
2008-12-03 06:35 . 2008-12-03 06:35 <DIR> d-------- c:\documents and settings\william netbook\Application Data\Malwarebytes
2008-12-03 06:35 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 06:34 . 2008-12-03 06:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 06:34 . 2008-12-03 06:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 06:34 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 08:07 . 2005-03-01 14:39 1,560,576 --a------ c:\windows\system32\JDSecure31.exe
2008-11-29 08:07 . 2008-11-29 08:09 249,856 --a------ c:\windows\system32\LxrJD31.dll
2008-11-29 08:07 . 2008-11-29 08:09 163,840 --a------ c:\windows\system32\LxrJD31c.exe
2008-11-29 08:07 . 2008-11-29 08:09 146,432 --a------ c:\windows\system32\LxrJD31p.exe
2008-11-29 08:07 . 2008-11-29 08:09 71,168 --a------ c:\windows\system32\LxrJD31s.exe
2008-11-29 08:07 . 2008-11-29 08:09 69,824 --a------ c:\windows\system32\drivers\LxrJD31d.sys
2008-11-29 08:07 . 2008-11-29 08:09 61,440 --a------ c:\windows\system32\LxrJD20Sat.dll
2008-11-29 08:07 . 2008-11-29 08:09 21,289 --a------ c:\windows\system32\JDSecure30.hlp
2008-11-29 08:07 . 2008-11-29 08:07 0 --a------ c:\windows\JDSecure31.INI
2008-11-27 10:50 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-27 10:50 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2008-11-27 08:23 . 2008-12-19 19:10 410 --a------ c:\windows\BRWMARK.INI
2008-11-22 08:04 . 2008-11-22 08:04 <DIR> d-------- c:\documents and settings\william netbook\Application Data\Twain
2008-11-21 17:14 . 2008-11-21 17:14 <DIR> d-------- c:\program files\Windows Defender
2008-11-21 03:52 . 2008-11-21 03:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-20 20:29 . 2008-11-20 20:29 <DIR> d-------- C:\Temp
2008-11-20 20:29 . 2008-11-20 20:29 <DIR> d--h----- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-17 13:31 --------- d-----w c:\program files\Common Files\AOL
2008-11-17 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-17 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-17 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-17 10:57 --------- d-----w c:\program files\Yahoo!
2008-11-17 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-02 03:21 --------- d-----w c:\program files\ffdshow
2008-10-25 00:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 01:34 --------- d-----w c:\documents and settings\william netbook\Application Data\Move Networks
2008-10-24 01:14 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-23 00:51 53,248 ----a-w c:\windows\system32\suppdll.dll
2008-10-23 00:51 35,363 ----a-w c:\windows\system32\windrvNT.sys
2008-10-23 00:41 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-23 00:41 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-23 00:41 --------- d-----w c:\program files\AVG
2008-10-23 00:41 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-22 14:58 --------- d-----w c:\program files\PdaNet for Windows Mobile
2008-10-21 15:05 --------- d-----w c:\program files\Windows Live Favorites
2008-10-21 15:04 --------- d-----w c:\documents and settings\All Users\Application Data\Windows Live Toolbar
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 05:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-26 22:12 703 ----a-w c:\windows\system32\config\systemprofile\set_env.bat
2008-09-26 22:12 703 ----a-w c:\documents and settings\william netbook\set_env.bat
2008-09-26 22:12 703 ----a-w c:\documents and settings\Default User\set_env.bat
2008-09-26 21:13 319,488 ----a-w c:\windows\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="d:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-05-23 1146880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2008-07-24 4462464]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2008-07-24 1283984]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-26 1261336]
"VirtualCloneDrive"="d:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-29 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\program files\Microsoft ActiveSync\rapimgr.exe"= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe"= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe"= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\william netbook\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\william netbook\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-22 97928]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-22 231704]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2008-09-26 430080]
R2 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-09-26 47680]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2008-09-26 9472]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2008-10-22 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-09-26 157696]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2008-12-06 119448]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys []
S3 WSVD;WSVD;\??\c:\windows\system32\drivers\WSVD.sys [2008-09-26 81192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7ce64bd-bc47-11dd-b1aa-00226962effd}]
\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 15:54]

2008-12-20 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-25 22:02]

2008-12-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com/
uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\william netbook\Application Data\Mozilla\Firefox\Profiles\6fn0hg75.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=...e&r
FF - plugin: c:\documents and settings\william netbook\Application Data\Mozilla\Firefox\Profiles\6fn0hg75.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\william netbook\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 13:18:49
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-20 13:19:57
ComboFix-quarantined-files.txt 2008-12-20 18:19:56

Pre-Run: 24,075,419,648 bytes free
Post-Run: 24,068,456,448 bytes free

201 --- E O F --- 2008-12-20 12:38:10

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Double click on c:\windows\WININIT.INI to open it up in Notepad. Copy & paste all the contents of that file here and then delete all the lines. Copy & paste the following two lines back into the file and save it:

[rename]
NUL=

Delete this folder:

c:\documents and settings\All Users\Application Data\Viewpoint

Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

william23 · Joined: Nov 24, 2008 Posts: 22

here is the log from goored
GooredFix v1.5 by jpshortstuff
Log created at 20:21 on 21/12/2008 running Option #2

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{F6B71769-E66B-485D-9BC6-850C6F716F42}"="C:\Documents and Settings\william netbook\Local Settings\Application Data\{F6B71769-E66B-485D-9BC6-850C6F716F42}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\william netbook\Local Settings\Application Data\{F6B71769-E66B-485D-9BC6-850C6F716F42}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

william23 · Joined: Nov 24, 2008 Posts: 22

unfortunately the situation has taken a turn for the worse. After I posted my last log I was doing a google search and I was gettign redirected again. Suddenly IE windows starting opening on their own. AVG was sending warnings about infestations. I did an AVG scan and found a number of trojans which i deleted. I rebooted and tried to run the AntiMaleware program but it wont run. I ran a new Hijack this log and here it is.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:23 AM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lenovo\Energy Management\utility.exe
C:\Program Files\Lenovo\Energy Management\Energy Management.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
d:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\william netbook\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\Energy Management\utility.exe
O4 - HKLM\..\Run: [Energy Management] C:\Program Files\Lenovo\Energy Management\Energy Management.exe
O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "d:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [291a164e] rundll32.exe "C:\WINDOWS\system32\nplbiqkd.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\william netbook\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O20 - AppInit_DLLs: avgrsstx.dll honncp.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2lsbGlhbSBuZXRib29r\command.exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

--
End of file - 6160 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Go to C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe and rename that exe file to MBwilliam23.exe. Now try running it. Check for updates and then do a full scan.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [291a164e] rundll32.exe "C:\WINDOWS\system32\nplbiqkd.dll",b
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\william netbook\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: avgrsstx.dll honncp.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2lsbGlhbSBuZXRib29r\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\nplbiqkd.dll
C:\Documents and Settings\william netbook\Application Data\gadcom\
C:\WINDOWS\system32\tyshb36rfjdf.dll
C:\WINDOWS\d2lsbGlhbSBuZXRib29r\
C:\Program Files\Network Monitor\

Run ComboFix if you can, otherwise, rename it. You might have to download a new copy (rename first before saving it on the desktop) if you can't run that tool either. Post the log here when ready along with a new HijackThis log.

william23 · Joined: Nov 24, 2008 Posts: 22

here is the combofix log
ComboFix 08-12-20.01 - william netbook 2008-12-22 19:15:39.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.1135 [GMT -5:00]
Running from: c:\documents and settings\william netbook\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\william netbook\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\drivers\TDSSmhct.sys
c:\windows\system32\honncp.dll
c:\windows\system32\ogwgohgr.dll
c:\windows\system32\TDSShrxx.dll
c:\windows\system32\TDSSkhyp.log
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-21 20:55 . 2008-12-21 20:55 <DIR> d--hs---- c:\windows\d2lsbGlhbSBuZXRib29r
2008-12-13 13:46 . 2008-12-13 13:46 286,720 --------- c:\windows\Setup1.exe
2008-12-13 13:45 . 2008-12-13 13:46 73,216 --a------ c:\windows\ST6UNST.EXE
2008-12-13 13:45 . 2008-12-13 13:45 303 --a------ c:\windows\ST6UNST.000
2008-12-13 09:54 . 2008-12-13 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-13 09:53 . 2008-12-13 09:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 08:37 . 2008-12-21 20:19 17 --a------ c:\windows\WININIT.INI
2008-12-07 08:35 . 2008-12-07 08:35 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-06 08:23 . 2008-12-06 08:23 <DIR> d-------- c:\documents and settings\william netbook\Application Data\TotalRecorder
2008-12-06 08:06 . 2008-04-17 01:34 119,448 --a------ c:\windows\system32\drivers\TotRec7.sys
2008-12-06 08:06 . 2008-05-15 12:20 106,496 --a------ c:\windows\system32\DrvTrNTl.dll
2008-12-06 08:06 . 2008-05-16 07:16 59,032 --a------ c:\windows\system32\DrvTrNTm.dll
2008-12-03 06:35 . 2008-12-03 06:35 <DIR> d-------- c:\documents and settings\william netbook\Application Data\Malwarebytes
2008-12-03 06:35 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 06:34 . 2008-12-03 06:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 06:34 . 2008-12-03 06:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 06:34 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 08:07 . 2005-03-01 14:39 1,560,576 --a------ c:\windows\system32\JDSecure31.exe
2008-11-29 08:07 . 2008-11-29 08:09 249,856 --a------ c:\windows\system32\LxrJD31.dll
2008-11-29 08:07 . 2008-11-29 08:09 163,840 --a------ c:\windows\system32\LxrJD31c.exe
2008-11-29 08:07 . 2008-11-29 08:09 146,432 --a------ c:\windows\system32\LxrJD31p.exe
2008-11-29 08:07 . 2008-11-29 08:09 71,168 --a------ c:\windows\system32\LxrJD31s.exe
2008-11-29 08:07 . 2008-11-29 08:09 69,824 --a------ c:\windows\system32\drivers\LxrJD31d.sys
2008-11-29 08:07 . 2008-11-29 08:09 61,440 --a------ c:\windows\system32\LxrJD20Sat.dll
2008-11-29 08:07 . 2008-11-29 08:09 21,289 --a------ c:\windows\system32\JDSecure30.hlp
2008-11-29 08:07 . 2008-11-29 08:07 0 --a------ c:\windows\JDSecure31.INI
2008-11-27 10:50 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-27 10:50 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2008-11-27 08:23 . 2008-12-19 19:10 410 --a------ c:\windows\BRWMARK.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 03:36 90,112 ----a-w c:\windows\DUMP3b53.tmp
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-22 13:04 --------- d-----w c:\documents and settings\william netbook\Application Data\Twain
2008-11-21 22:14 --------- d-----w c:\program files\Windows Defender
2008-11-21 08:52 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-17 13:31 --------- d-----w c:\program files\Common Files\AOL
2008-11-17 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-17 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-17 10:57 --------- d-----w c:\program files\Yahoo!
2008-11-17 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-02 03:21 --------- d-----w c:\program files\ffdshow
2008-10-25 00:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 01:34 --------- d-----w c:\documents and settings\william netbook\Application Data\Move Networks
2008-10-24 01:14 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-23 00:51 53,248 ----a-w c:\windows\system32\suppdll.dll
2008-10-23 00:51 35,363 ----a-w c:\windows\system32\windrvNT.sys
2008-10-23 00:41 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-23 00:41 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-23 00:41 --------- d-----w c:\program files\AVG
2008-10-23 00:41 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 05:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-26 22:12 703 ----a-w c:\windows\system32\config\systemprofile\set_env.bat
2008-09-26 22:12 703 ----a-w c:\documents and settings\william netbook\set_env.bat
2008-09-26 22:12 703 ----a-w c:\documents and settings\Default User\set_env.bat
2008-09-26 21:13 319,488 ----a-w c:\windows\HideWin.exe
2005-07-29 21:24 472 --sha-r c:\windows\d2lsbGlhbSBuZXRib29r\xZ5Pv351vm1Rtrl2vZ6O.vbs
.

((((((((((((((((((((((((((((( snapshot RemoveThis @2008-12-20_13.19.11.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-10-21 14:07:42 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-22 23:42:30 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-21 14:07:42 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-22 23:42:30 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="d:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-05-23 1146880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2008-07-24 4462464]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2008-07-24 1283984]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-26 1261336]
"VirtualCloneDrive"="d:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-29 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll honncp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\program files\Microsoft ActiveSync\rapimgr.exe"= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe"= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe"= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\william netbook\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\william netbook\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-22 97928]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-22 231704]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2008-09-26 430080]
R2 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-09-26 47680]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2008-09-26 9472]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2008-10-22 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-09-26 157696]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2008-12-06 119448]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys []
S3 WSVD;WSVD;\??\c:\windows\system32\drivers\WSVD.sys [2008-09-26 81192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7ce64bd-bc47-11dd-b1aa-00226962effd}]
\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 15:54]

2008-12-23 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-25 22:02]

2008-12-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6B9A75C9-504E-487E-83B4-F0850C3F98EE} - c:\windows\system32\mlJApnKd.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com/
uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\william netbook\Application Data\Mozilla\Firefox\Profiles\6fn0hg75.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=...e&r
FF - component: c:\program files\Mozilla Firefox\components\srff.dll
FF - plugin: c:\documents and settings\william netbook\Application Data\Mozilla\Firefox\Profiles\6fn0hg75.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\william netbook\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 22:00:41
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\LXRJD31S.EXE
d:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SYSTEM32\IGFXSRVC.EXE
d:\progra~1\MICROS~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-22 22:02:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-23 03:02:08

Pre-Run: 24,656,330,752 bytes free
Post-Run: 24,612,569,088 bytes free

229 --- E O F --- 2008-12-20 12:38:10

here is the hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:33 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
d:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lenovo\Energy Management\utility.exe
C:\Program Files\Lenovo\Energy Management\Energy Management.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Documents and Settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\william netbook\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\Energy Management\utility.exe
O4 - HKLM\..\Run: [Energy Management] C:\Program Files\Lenovo\Energy Management\Energy Management.exe
O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "d:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3280C80-9375-47EC-B814-511CFE863D07}: NameServer = 68.28.58.92 68.28.50.91
O20 - AppInit_DLLs: avgrsstx.dll honncp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

--
End of file - 5786 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Almost there...

Double click on c:\windows\wininit.ini to open it up in Notepad. Copy and paste the contents of that file here and then delete all those lines. Copy and paste the following two lines back into the file and save it:

[rename]
nul=

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

william23 · Joined: Nov 24, 2008 Posts: 22

this is the contents of the wininit file
[rename]
NUL=
here is the combofix log
ComboFix 08-12-20.01 - william netbook 2008-12-23 8:30:19.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.907 [GMT -5:00]
Running from: c:\documents and settings\william netbook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\william netbook\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\d2lsbGlhbSBuZXRib29r\xZ5Pv351vm1Rtrl2vZ6O.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\d2lsbGlhbSBuZXRib29r
c:\windows\d2lsbGlhbSBuZXRib29r\xZ5Pv351vm1Rtrl2vZ6O.vbs

.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-13 13:46 . 2008-12-13 13:46 286,720 --------- c:\windows\Setup1.exe
2008-12-13 13:45 . 2008-12-13 13:46 73,216 --a------ c:\windows\ST6UNST.EXE
2008-12-13 13:45 . 2008-12-13 13:45 303 --a------ c:\windows\ST6UNST.000
2008-12-13 09:54 . 2008-12-13 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-13 09:53 . 2008-12-13 09:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 08:37 . 2008-12-23 08:27 17 --a------ c:\windows\WININIT.INI
2008-12-07 08:35 . 2008-12-07 08:35 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-06 08:23 . 2008-12-06 08:23 <DIR> d-------- c:\documents and settings\william netbook\Application Data\TotalRecorder
2008-12-06 08:06 . 2008-04-17 01:34 119,448 --a------ c:\windows\system32\drivers\TotRec7.sys
2008-12-06 08:06 . 2008-05-15 12:20 106,496 --a------ c:\windows\system32\DrvTrNTl.dll
2008-12-06 08:06 . 2008-05-16 07:16 59,032 --a------ c:\windows\system32\DrvTrNTm.dll
2008-12-03 06:35 . 2008-12-03 06:35 <DIR> d-------- c:\documents and settings\william netbook\Application Data\Malwarebytes
2008-12-03 06:35 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 06:34 . 2008-12-03 06:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 06:34 . 2008-12-03 06:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 06:34 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 08:07 . 2005-03-01 14:39 1,560,576 --a------ c:\windows\system32\JDSecure31.exe
2008-11-29 08:07 . 2008-11-29 08:09 249,856 --a------ c:\windows\system32\LxrJD31.dll
2008-11-29 08:07 . 2008-11-29 08:09 163,840 --a------ c:\windows\system32\LxrJD31c.exe
2008-11-29 08:07 . 2008-11-29 08:09 146,432 --a------ c:\windows\system32\LxrJD31p.exe
2008-11-29 08:07 . 2008-11-29 08:09 71,168 --a------ c:\windows\system32\LxrJD31s.exe
2008-11-29 08:07 . 2008-11-29 08:09 69,824 --a------ c:\windows\system32\drivers\LxrJD31d.sys
2008-11-29 08:07 . 2008-11-29 08:09 61,440 --a------ c:\windows\system32\LxrJD20Sat.dll
2008-11-29 08:07 . 2008-11-29 08:09 21,289 --a------ c:\windows\system32\JDSecure30.hlp
2008-11-29 08:07 . 2008-11-29 08:07 0 --a------ c:\windows\JDSecure31.INI
2008-11-27 10:50 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-27 10:50 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2008-11-27 08:23 . 2008-12-19 19:10 410 --a------ c:\windows\BRWMARK.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 03:36 90,112 ----a-w c:\windows\DUMP3b53.tmp
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-22 13:04 --------- d-----w c:\documents and settings\william netbook\Application Data\Twain
2008-11-21 22:14 --------- d-----w c:\program files\Windows Defender
2008-11-21 08:52 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-17 13:31 --------- d-----w c:\program files\Common Files\AOL
2008-11-17 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-17 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-17 10:57 --------- d-----w c:\program files\Yahoo!
2008-11-17 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-02 03:21 --------- d-----w c:\program files\ffdshow
2008-10-25 00:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 01:34 --------- d-----w c:\documents and settings\william netbook\Application Data\Move Networks
2008-10-24 01:14 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-23 00:51 53,248 ----a-w c:\windows\system32\suppdll.dll
2008-10-23 00:51 35,363 ----a-w c:\windows\system32\windrvNT.sys
2008-10-23 00:41 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-23 00:41 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-23 00:41 --------- d-----w c:\program files\AVG
2008-10-23 00:41 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 05:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-26 22:12 703 ----a-w c:\windows\system32\config\systemprofile\set_env.bat
2008-09-26 22:12 703 ----a-w c:\documents and settings\william netbook\set_env.bat
2008-09-26 22:12 703 ----a-w c:\documents and settings\Default User\set_env.bat
2008-09-26 21:13 319,488 ----a-w c:\windows\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot RemoveThis @2008-12-20_13.19.11.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-10-21 14:07:42 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-22 23:42:30 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-21 14:07:42 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-22 23:42:30 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="d:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-05-23 1146880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2008-07-24 4462464]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2008-07-24 1283984]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-26 1261336]
"VirtualCloneDrive"="d:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-29 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\program files\Microsoft ActiveSync\rapimgr.exe"= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe"= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe"= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\william netbook\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\william netbook\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-22 97928]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-22 231704]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2008-09-26 430080]
R2 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-09-26 47680]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2008-09-26 9472]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2008-10-22 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-09-26 157696]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2008-12-06 119448]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys []
S3 WSVD;WSVD;\??\c:\windows\system32\drivers\WSVD.sys [2008-09-26 81192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7ce64bd-bc47-11dd-b1aa-00226962effd}]
\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 15:54]

2008-12-23 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\william netbook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-25 22:02]

2008-12-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com/
uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
TCP: {F3280C80-9375-47EC-B814-511CFE863D07} = 68.28.58.92 68.28.50.91
FF - ProfilePath - c:\documents and settings\william netbook\Application Data\Mozilla\Firefox\Profiles\6fn0hg75.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=...e&r
FF - component: c:\program files\Mozilla Firefox\components\srff.dll
FF - plugin: c:\documents and settings\william netbook\Application Data\Mozilla\Firefox\Profiles\6fn0hg75.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\william netbook\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 08:32:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-23 8:33:40
ComboFix-quarantined-files.txt 2008-12-23 13:33:38
ComboFix2.txt 2008-12-23 03:02:16

Pre-Run: 24,555,601,920 bytes free
Post-Run: 24,544,460,800 bytes free

204 --- E O F --- 2008-12-20 12:38:10

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

william23 · Joined: Nov 24, 2008 Posts: 22

thanks for the help