google hijacked again

Cloudx123c · Joined: Sep 16, 2008 Posts: 13

my google searches are hijacked, please help

my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:38 PM, on 5/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\program files\steam\steam.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\websrvx\websrvx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\SYS32DLL.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: (no name) - {F4F10C1D-87C7-404A-B4B3-000000000000} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: 218538 helper - {5E5EFA8F-9F53-418E-B78E-44866667A404} - C:\WINDOWS\system32\218538\218538.dll
O2 - BHO: 199638 helper - {65768B48-B004-4B26-9BAC-A3BAC39643D1} - C:\WINDOWS\system32\199638\199638.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre18.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O20 - AppInit_DLLs: wvvghs.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7254 bytes

thank you, any help is appreciated.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R3 - URLSearchHook: (no name) - {F4F10C1D-87C7-404A-B4B3-000000000000} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: 218538 helper - {5E5EFA8F-9F53-418E-B78E-44866667A404} - C:\WINDOWS\system32\218538\218538.dll
O2 - BHO: 199638 helper - {65768B48-B004-4B26-9BAC-A3BAC39643D1} - C:\WINDOWS\system32\199638\199638.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre18.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O20 - AppInit_DLLs: wvvghs.dll
O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\System32\SYS32DLL.exe
C:\WINDOWS\system32\218538\
C:\WINDOWS\system32\199638\
C:\windows\ld08.exe
C:\windows\mstre18.exe
C:\windows\pp06.exe
C:\WINDOWS\system32\wvvghs.dll
C:\Program Files\websrvx\

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Cloudx123c · Joined: Sep 16, 2008 Posts: 13

here is my combofix log:

ComboFix 09-05-13.02 - Administrator 05/13/2009 18:44.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1155 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msssc.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-13 21:11 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-13 21:11 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-13 21:11 . 2009-05-13 21:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-13 02:47 . 2009-05-13 02:47 -------- d-----w c:\program files\Trend Micro
2009-05-09 20:28 . 2009-05-09 20:28 -------- d-----w c:\program files\SystemRequirementsLab
2009-05-09 20:28 . 2009-05-09 20:28 -------- d-----w c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2009-05-08 02:29 . 2009-05-08 02:29 -------- d-----w c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-05-08 02:27 . 2009-05-08 02:27 -------- d-----w c:\program files\MSXML 6.0
2009-05-07 08:07 . 2009-05-07 08:07 -------- d-----w c:\documents and settings\Administrator\Application Data\QQ Games Plugin
2009-05-07 08:05 . 2009-05-07 08:05 -------- d-----w c:\program files\Tencent
2009-05-07 08:05 . 2009-05-07 08:05 -------- d-----w c:\documents and settings\All Users\Application Data\Tencent
2009-05-04 11:17 . 2009-05-04 11:17 -------- d-----w c:\program files\GNU
2009-05-04 00:24 . 2009-05-04 00:24 -------- d-----w c:\documents and settings\Administrator\Application Data\Red Kawa
2009-04-27 10:39 . 2009-04-27 10:39 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH
2009-04-27 10:35 . 2009-04-27 10:35 -------- d-----w c:\program files\GRETECH
2009-04-21 13:12 . 2009-05-13 23:39 24 ----a-w c:\windows\system32\DVCState-{00000000-00000000-00000009-00001102-00000002-80221102}.dat
2009-04-21 13:12 . 2009-05-13 23:39 24 ----a-w c:\windows\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000002-80221102}.dat
2009-04-21 10:10 . 2000-05-11 06:00 90112 ------w c:\windows\Updreg.EXE
2009-04-21 10:10 . 1996-05-23 07:24 24976 ------w c:\windows\CTRES.DLL
2009-04-21 10:10 . 1998-06-05 07:00 84992 ------w c:\windows\system32\SFCVRT32.DLL
2009-04-21 10:10 . 1994-12-05 08:11 53552 ------w c:\windows\CTCCW.DLL
2009-04-21 10:10 . 1998-10-20 21:05 54784 ------w c:\windows\system32\INETWH32.DLL
2009-04-21 10:10 . 1995-08-30 07:02 82432 ------w c:\windows\system32\CTWFLT32.DLL
2009-04-21 10:10 . 1995-07-13 07:01 26768 ------w c:\windows\system32\CTL3D.DLL
2009-04-21 10:10 . 1998-01-08 06:00 1048576 ------w c:\windows\system32\SFMAN.DAT
2009-04-21 10:08 . 1999-12-17 06:00 6752 ------w c:\windows\system32\PFMODNT.SYS
2009-04-21 09:59 . 2009-04-21 10:09 -------- d-----w c:\program files\Creative
2009-04-20 09:05 . 2009-04-20 09:25 -------- d-----w c:\documents and settings\Administrator\Application Data\Move Networks
2009-04-16 03:50 . 2009-04-16 03:50 -------- d-----w c:\program files\AviSynth 2.5
2009-04-14 11:00 . 2009-04-14 11:00 -------- d-----w c:\windows\Major League Baseball 2K9
2009-04-14 11:00 . 2009-04-14 11:25 -------- d-----w c:\program files\Major League Baseball 2K9
2009-04-14 02:19 . 2009-04-14 02:19 41808 ----a-w c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 23:41 . 2006-01-19 16:14 -------- d-----w c:\program files\Steam
2009-05-08 02:30 . 2008-11-07 05:54 -------- d-----w c:\program files\Sony
2009-05-07 08:07 . 2009-02-21 03:20 -------- d-----w c:\program files\AIM6
2009-05-05 12:15 . 2008-11-26 05:27 -------- d-----w c:\program files\NBA 2K9
2009-05-05 09:34 . 2007-10-10 14:08 189472 -c--a-w c:\windows\system32\PnkBstrB.exe
2009-05-05 09:30 . 2007-10-10 14:08 138168 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-03 03:12 . 2009-03-28 02:52 -------- d-----w c:\program files\English Bid for Power Final 4.0
2009-04-28 12:51 . 2006-03-05 00:00 -------- d-----w c:\program files\EA SPORTS
2009-04-28 12:44 . 2006-02-26 13:28 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-27 04:05 . 2002-09-03 04:11 -------- d-----w c:\program files\mIRC
2009-04-24 05:50 . 2006-02-11 11:45 -------- d-s---w c:\program files\Xfire
2009-04-21 10:09 . 2006-01-19 17:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-21 09:33 . 2009-04-21 09:33 0 ----a-w c:\documents and settings\Administrator\ntuser.tmp
2009-04-17 10:01 . 2007-09-24 10:50 -------- d-----w c:\program files\DivX
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-15 06:07 . 2006-09-25 01:42 664 -c--a-w c:\windows\system32\d3d9caps.dat
2009-02-15 05:19 . 2009-02-15 05:08 409600 ----a-w c:\windows\system32\wrap_oal.dll
2008-08-01 15:25 . 2008-08-01 13:01 66936 -csha-w c:\windows\dlinfo_0.drv
2008-07-20 06:34 . 2008-07-20 06:33 24 -csh--w c:\windows\SE6FF85BE.tmp
2006-04-19 05:32 . 2006-04-19 05:30 56 --sh--r c:\windows\system32\7DA24FC9CE.sys
2006-04-19 05:32 . 2006-04-19 05:30 848 -csha-w c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2002-08-29 01:41 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-09-14 19:24 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-01-06 1410296]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-01-23 423200]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2002-07-02 24576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-4 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MediaChecker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MediaChecker.lnk
backup=c:\windows\pss\MediaChecker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YouTube Uploader for CASIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\YouTube Uploader for CASIO.lnk
backup=c:\windows\pss\YouTube Uploader for CASIO.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\magiver\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\magiver\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\magiver\\counter-strike\\hl.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\mainapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\SteamApps\\magiver\\zombie panic! source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\smokey187hom\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chitown007\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chitown007\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chitown007\\counter-strike\\hl.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Wc3
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [9/16/2006 11:52 PM 16512]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2/13/2008 10:54 PM 29184]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [10/23/2006 1:08 AM 18048]
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.speedbit.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vr0mk3dm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&...ocation
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&...ocation
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vr0mk3dm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 18:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):f0,a2,b0,29,81,59,42,cd,c1,a1,16,19,68,f7,9c,67,85,f5,be,ad,7a,
72,3b,3a,c5,88,cc,1d,74,fa,e1,a8,5b,f8,e6,8d,dd,e6,88,45,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{86158847-9d66-476a-9289-fc7b00fec445}]
@Denied: (Full) (Everyone)
"Model"=dword:00000118
"Therad"=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-05-13 18:48
ComboFix-quarantined-files.txt 2009-05-13 23:47

Pre-Run: 21,705,498,624 bytes free
Post-Run: 21,698,674,688 bytes free

221

everything seems to be working normal now, so thanks.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.

Topic locked since issue is resolved.