Yet another google hijacked search log...

evolve · Joined: May 05, 2009 Posts: 7

Hey guys, hate to bore you, but my google search has been hijacked like so many others. I seriously think it has something to do with Panda Cloud Antivirus, because it happened one day after I installed it.

Regardless, here is my hijackthis log, I've run AVG, S&D, Malwarebytes, among several others, nothing seems to pickup an issue.

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:08 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.rider.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\yivuvuwo.dll c:\windows\system32\ c:\windows\system32\wuninemo.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9b4ba837d204) (gupdate1c9b4ba837d204) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9417 bytes

I looked over the log and the AppInit_DLLs seems fishy, one of them is "C:\WINDOWS\system32\yivuvuwo.dll", which I can't find any information on (nor does the file appear to exist).

Any help would be greatly appreciated.

evolve · Joined: May 05, 2009 Posts: 7

Hey guys, alright I think I managed to correct my issue. I ran combofix, here is the log:

Quote:

ComboFix 09-05-05.03 - Student 05/05/2009 22:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1470 [GMT -4:00]
Running from: c:\documents and settings\Student\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 20:29 . 2009-05-05 20:29 -------- d-----w c:\documents and settings\Student\Application Data\Malwarebytes
2009-05-05 20:29 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 20:29 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 20:29 . 2009-05-05 20:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-05 20:29 . 2009-05-05 20:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-05 20:26 . 2009-05-05 20:26 -------- d-----w c:\program files\Trend Micro
2009-05-05 11:55 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-05 01:08 . 2009-05-05 01:08 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-05 01:08 . 2009-05-05 20:22 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-05 01:08 . 2009-05-05 20:22 -------- d-----w c:\documents and settings\Student\Application Data\SUPERAntiSpyware.com
2009-05-04 21:16 . 2009-05-04 21:16 -------- d-----w c:\program files\Windows Defender
2009-05-03 20:39 . 2009-05-03 21:18 -------- d-----w C:\Downloads
2009-05-03 20:39 . 2009-05-03 21:19 -------- d-----w c:\documents and settings\Student\Application Data\Orbit
2009-05-02 03:29 . 2009-05-02 03:33 -------- d-----w c:\documents and settings\Student\Local Settings\Application Data\Temporary Projects
2009-05-02 01:29 . 2009-05-02 01:29 -------- d-----w c:\documents and settings\Student\Application Data\RadiantSettings
2009-05-02 01:29 . 2009-05-02 01:29 -------- d-----w c:\program files\GtkRadiant 1.5.0
2009-04-30 23:57 . 2009-05-05 11:46 -------- d--h--w C:\$AVG8.VAULT$
2009-04-30 23:54 . 2009-05-05 20:20 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-30 19:41 . 2009-05-05 21:38 1026 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-04-29 18:55 . 2009-04-29 18:55 -------- d-----w c:\documents and settings\Student\Application Data\Panda Security
2009-04-29 18:54 . 2009-04-29 18:54 -------- d-----w c:\documents and settings\All Users\Application Data\Panda Security
2009-04-28 15:17 . 2009-04-28 15:17 -------- d-----w c:\program files\Microsoft Synchronization Services
2009-04-28 15:17 . 2009-04-28 15:17 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-23 16:13 . 2009-04-23 16:13 -------- d-----w c:\windows\system32\Adobe
2009-04-18 14:34 . 2009-04-18 14:37 481678720 ----a-w c:\program files\ioquake3.zip
2009-04-16 17:37 . 2009-04-16 17:37 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-16 15:52 . 2009-03-06 14:22 284160 ----a-w c:\windows\system32\dllcache\pdh.dll
2009-04-16 15:52 . 2009-02-06 10:39 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-04-16 15:52 . 2009-02-09 12:10 401408 ----a-w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 15:52 . 2009-02-06 11:11 110592 ----a-w c:\windows\system32\dllcache\services.exe
2009-04-16 15:52 . 2009-02-09 12:10 473600 ----a-w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 15:52 . 2009-02-06 10:10 227840 ----a-w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 15:52 . 2009-02-09 12:10 453120 ----a-w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 15:52 . 2009-02-09 12:10 729088 ----a-w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 15:52 . 2009-02-09 12:10 617472 ----a-w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 15:52 . 2009-02-09 12:10 714752 ----a-w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 15:48 . 2008-05-03 11:55 2560 ----a-w c:\windows\system32\xpsp4res.dll
2009-04-16 15:48 . 2008-04-21 12:08 215552 ----a-w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 01:03 . 2007-06-08 00:24 -------- d-----w c:\program files\mIRC
2009-05-06 00:28 . 2007-06-21 14:44 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-05 20:22 . 2008-03-12 00:40 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 20:14 . 2009-01-22 05:12 -------- d-----w c:\program files\Lavasoft
2009-05-05 02:54 . 2008-08-06 00:51 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-05 02:54 . 2008-08-06 00:51 189784 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-05 00:21 . 2008-06-04 19:05 -------- d-----w c:\program files\CrossLoop
2009-05-03 21:19 . 2007-11-26 19:51 -------- d-----w c:\program files\FLV Player
2009-05-02 01:22 . 2007-06-26 00:29 -------- d-----w c:\program files\Quake III Arena
2009-05-02 01:00 . 2009-03-27 19:59 -------- d-----w c:\program files\ioquake3
2009-04-30 20:44 . 2009-02-24 23:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-30 20:34 . 2009-04-30 20:34 2 ----a-w c:\windows\RAVTC.TMP
2009-04-28 15:19 . 2005-03-16 21:55 94600 ----a-w c:\documents and settings\Student\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 15:17 . 2007-11-24 05:22 -------- d-----w c:\program files\Microsoft Visual Studio 9.0
2009-04-23 01:21 . 2008-10-02 04:48 -------- d-----w c:\program files\Google
2009-04-17 16:55 . 2008-11-11 22:32 22328 ----a-w c:\documents and settings\Student\Application Data\PnkBstrK.sys
2009-04-17 16:54 . 2008-11-11 22:31 2246144 ----a-w c:\windows\system32\pbsvc.exe
2009-04-16 17:39 . 2008-08-06 00:51 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-04 00:56 . 2007-06-28 15:06 74072 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-02 14:27 . 2009-04-02 14:27 -------- d-----w c:\program files\Sun
2009-04-02 14:27 . 2009-02-04 01:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-02 14:27 . 2005-03-08 14:18 -------- d-----w c:\program files\Java
2009-04-02 13:27 . 2009-03-22 03:35 -------- d-----w c:\program files\Research In Motion
2009-04-01 22:54 . 2009-02-16 05:56 -------- d-----w c:\program files\eclipse
2009-04-01 16:05 . 2008-11-22 17:36 -------- d-----w c:\program files\LOVE
2009-03-30 20:25 . 2009-03-30 20:07 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-30 20:21 . 2007-06-08 01:10 -------- d-----w c:\program files\Microsoft.NET
2009-03-30 20:03 . 2009-03-30 20:03 -------- d-----w c:\program files\Common Files\Merge Modules
2009-03-30 20:01 . 2009-03-30 20:01 -------- d-----w c:\program files\Microsoft SDKs
2009-03-27 18:37 . 2009-03-27 18:37 -------- d-----w c:\program files\NuGardt Software
2009-03-25 23:33 . 2007-12-10 23:57 3532 ----a-w C:\drmHeader.bin
2009-03-22 20:51 . 2009-03-22 03:42 256 ----a-w c:\documents and settings\Student\pool.bin
2009-03-22 03:37 . 2009-03-22 03:37 -------- d-----w c:\program files\Roxio
2009-03-22 03:37 . 2009-03-22 03:37 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-22 03:37 . 2005-03-08 14:19 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-22 03:37 . 2009-03-22 03:37 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-03-22 03:35 . 2009-03-22 03:35 -------- d-----w c:\program files\Common Files\Research In Motion
2009-03-22 00:25 . 2007-06-23 15:14 -------- d-----w c:\program files\DivX
2009-03-22 00:25 . 2009-03-22 00:24 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-09 21:07 . 2007-10-12 14:48 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-09 21:07 . 2009-03-09 21:07 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-09 03:12 . 2009-03-09 03:12 -------- d-----w c:\program files\Microsoft Works
2009-03-06 14:22 . 2004-08-11 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 23:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 23:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-11 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-11 23:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2004-11-10 598016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-02 148888]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Flare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Flare.lnk
backup=c:\windows\pss\Flare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Student^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Student\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Student^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=c:\documents and settings\Student\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=c:\windows\pss\WinMySQLadmin.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\ioquake3\\ioquake3.x86.exe"=
"c:\\Program Files\\ioquake3\\ioquake3.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry JDE 4.7.0\\simulator\\fledge.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry JDE 4.5.0\\simulator\\fledge.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_01\\bin\\java.exe"=
"c:\\Program Files\\I8kfanGUI\\I8kfanGUI.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [6/26/2007 8:43 PM 14464]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/8/2005 10:02 AM 80384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.sys [?]
S2 gupdate1c9b4ba837d204;Google Update Service (gupdate1c9b4ba837d204);c:\program files\Google\Update\GoogleUpdate.exe [4/3/2009 8:12 PM 133104]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\R101342\ATIXPGAA.SYS [6/26/2007 8:36 PM 12032]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/28/2007 8:01 PM 42512]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [10/9/2008 7:16 PM 1312768]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fdb94e8-a1d8-11dc-a955-0012f0aab161}]
\Shell\Auto\command - E:\activexdebugger32.exe f
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - E:\activexdebugger32.exe f
\Shell\open\Command - E:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0dc0207-8e8e-11dd-a9c8-0012f0aab161}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2578517-bd7a-11dd-a9ef-0012f0aab161}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-04 00:12]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3361584793-623422886-3894125377-1005.job
- c:\documents and settings\Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 15:13]

2009-05-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.rider.edu/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\Student\Application Data\Mozilla\Firefox\Profiles\swdkql51.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Student\Application Data\Mozilla\Firefox\Profiles\swdkql51.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Student\Application Data\Mozilla\plugins\npo3dautoplugin.dll
FF - plugin: c:\documents and settings\Student\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Student\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\documents and settings\Student\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0806260_SUA_900\npoctoshape.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3361584793-623422886-3894125377-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BC535405-2D7E-40D3-EF2D-861AE7C49DC0}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haegnnmbbmejjdhh"=hex:67,61,6a,62,6a,6a,6d,6c,65,6d,66,6f,6d,65,00,f6
"iaifcmoglookcbkiof"=hex:62,61,63,62,00,06

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ *«*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3496)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-06 22:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 02:14

Pre-Run: 12,107,055,104 bytes free
Post-Run: 11,980,713,984 bytes free

356 --- E O F --- 2009-04-30 15:04

I'm confused about why it removed c:\windows\system32\mdm.exe -- from my research it was not a harmful file.

Anyway, any input on the logs would be great.

Thanks.

evolve · Joined: May 05, 2009 Posts: 7

I spoke too soon with my last reply, the issue is still not resolved. Any input would be great.

evolve · Joined: May 05, 2009 Posts: 7

Still have not resolved the issue. It is very difficult to determine if it is resolved or not because it happens randomly (not with every search, not on every item). It appears to happen on every 4-10th search result item click, however much more often when browsing to wikipedia pages.

I've been reading the solutions to the other posts about people having this issue, and I don't seem to have any of the same values within my logs. Is there a website which analyzes combofix logs? I've scoured it several times, however nothing jumps out. I've even uploaded several of the recently modified DLL's to http://www.virustotal.com/ however none of them seem bad.

Any input would be nice, I'm very willing to provide more information if needed.

greyknight17 · Joined: Feb 03, 2003 Posts: 5651 Location: Brooklyn, NY

Welcome to Lockergnome.

ComboFix is not a tool that should be used unsupervised. There is no website that I know of that will analyze this log either. There can be changes made any time and if such a website exists, it might provide the wrong information.

Download the Flash Disinfector at http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - AppInit_DLLs: C:\WINDOWS\system32\yivuvuwo.dll c:\windows\system32\ c:\windows\system32\wuninemo.dll

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

evolve · Joined: May 05, 2009 Posts: 7

Hello greyknight17, thank you for the reply.

Followed the instructions to the letter.

Here is the new log:

greyknight17 · Joined: Feb 03, 2003 Posts: 5651 Location: Brooklyn, NY

Were you able to run Flash Disinfector yet? One of your USB drives seem to be infected. Make sure you plug it in and then run the Flash Disinfector tool.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

evolve · Joined: May 05, 2009 Posts: 7

Ran Flash Disinfector on all of my USB drives, and ran script, here is the output:

greyknight17 · Joined: Feb 03, 2003 Posts: 5651 Location: Brooklyn, NY

Formatting and reinstalling Windows is usually the best thing to do if you backed up your data and have time to do this.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fdb94e8-a1d8-11dc-a955-0012f0aab161}]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Download GooredFix and save it to your Desktop. Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

If that still won't fix the issue, proceed with the backing up of your data (which you should be doing regularly) and format the drive before you reinstall Windows.

evolve · Joined: May 05, 2009 Posts: 7

It appears that deleting that registry value and running "GooredFix" has solved the issues.

I still think I will proceed with a reformat, however I want to thank you for taking the time to help me solve this issue.

Looking back at our posts, I understand how you could determine the flash drives might have been infected, however how do you know that the registry key "moustpoints2" was infected?

I consider myself a fairly knowledgeable person when it comes to windows, however your suggestions go very much over my head, and I am interested in how you have obtained your knowledge?

greyknight17 · Joined: Feb 03, 2003 Posts: 5651 Location: Brooklyn, NY

Most of these infections will be tied to some kind of executable file. In this case, that registry key that I pointed out was linked to a malicious exe file which raised suspicion immediately Very Happy

I'm glad it's ok now. Formatting is usually the best cleanup though but most users avoid it since it's a big task Sad

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, you should be set to go.