Author Topic: [Resolved] Cmd,Regedit don't work AND Internet Explorer redirected  (Read 14828 times)

Offline adf1962

  • Bronze Member
  • Posts: 67
thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2                                                                                                                               
Scan saved at 12:10:53 AM, on 01/04/2009                                                                                                                               
Platform: Windows XP SP2 (WinNT 5.01.2600)                                                                                                                             
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)                                                                                                                     
Boot mode: Safe mode with network support                                                                                                                               
                                                                                                                                                                       
Running processes:                                                                                                                                                     
C:\WINDOWS\System32\smss.exe                                                                                                                                           
C:\WINDOWS\system32\winlogon.exe                                                                                                                                       
C:\WINDOWS\system32\services.exe                                                                                                                                       
C:\WINDOWS\system32\lsass.exe                                                                                                                                           
C:\WINDOWS\system32\svchost.exe                                                                                                                                         
C:\WINDOWS\system32\svchost.exe                                                                                                                                         
C:\WINDOWS\Explorer.EXE                                                                                                                                                 
C:\Program Files\Mozilla Firefox\firefox.exe                                                                                                                           
C:\WINDOWS\system32\ctfmon.exe                                                                                                                                         
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe                                                                                                                 
                                                                                                                                                                       
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/                                                                                 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen                                       
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe                                                                                                         
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll                                   
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll       
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll                                     
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll                   
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll                                               
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll                         
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll                                       
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll                                           
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe                                                                               
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon                                                             
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe                                                                                       
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime                                                                                 
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe                                                                                           
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE                                                                                                             
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe                                                                                     
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe                                                                                     
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start                                                         
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup                                                                           
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"                                                                                   
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe                                                                                                           
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe                                                                                 
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe                                                                             
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"                                                                         
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"                                                                                             
O4 - HKLM\..\Run: [prunnet] "C:\DOCUME~1\Tony\LOCALS~1\Temp\prun.exe"                                                                                                   
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"                                                                                     
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe                                                                                                             
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background                                     
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"                                                           
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-CFOP6.exe" /REG                                                                                     
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe                                                                                                           
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe                                                                           
O4 - HKCU\..\RunOnce: [SpybotDeletingB532] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"                                                                   
O4 - HKCU\..\RunOnce: [SpybotDeletingD952] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"                                                                       
O4 - HKCU\..\RunOnce: [SpybotDeletingB9022] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"                                                 
O4 - HKCU\..\RunOnce: [SpybotDeletingD1824] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"                                                     
O4 - HKCU\..\RunOnce: [SpybotDeletingB6653] command /c del "C:\WINDOWS\system32\inxdwext.dll"                                                                           
O4 - HKCU\..\RunOnce: [SpybotDeletingD3403] cmd /c del "C:\WINDOWS\system32\inxdwext.dll"                                                                               
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')                                                           
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')                                                     
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe                                                           
O4 - Global Startup: Disney                                                                                                                                             
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe                                         
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe                                   
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe                                           
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE                                                                         
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe                                                                         
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html                                                           
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html                                               
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html                                                       
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html                                                   
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000                                                           
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html                                                           
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html                                               
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll                                         
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll                         
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll                                         
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe                                                           
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe                                         
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204                           
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab                         
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab               
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.us-resources.com/dwa7W.cab                                           
O17 - HKLM\System\CCS\Services\Tcpip\..\{9541D7A2-AEB9-4B63-8C25-CD1FB2433AF1}: NameServer = 192.168.2.1                                                               
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll                                         
O21 - SSODL: JcZgSr - {44A63D61-EE0C-97CB-3CAF-1B926BE92182} - C:\WINDOWS\system32\epxbne.dll (file missing)                                                           
O23 - Service: AbelService - Unknown owner - C:\Program Files\AbelCam\AbelService.exe                                                                                   
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe                           
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe                                                   
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe                                                                             
O23 - Service: Symantec Event Manager (ccevtmgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe                                   
O23 - Service: Symantec Settings Manager (ccsetmgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe                                 
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe                               
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe                         
O23 - Service: Symantec AntiVirus Definition Watcher (defwatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe                               
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe                                             
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe                                       
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe         
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe                                                                                   
O23 - Service: LiveUpdate (liveupdate) - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE                                                             
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe                                                         
O23 - Service: Roxio UPnP Renderer 9 (roxio upnp renderer 9) - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe                           
O23 - Service: Roxio Upnp Server 9 (roxio upnp server 9) - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe                               
O23 - Service: LiveShare P2P Server 9 (roxliveshare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe                   
O23 - Service: RoxMediaDB9 (roxmediadb9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe                                   
O23 - Service: Roxio Hard Drive Watcher 9 (roxwatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe                       
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe                                     
O23 - Service: sasrfc Service (sasrfcService) - Unknown owner - C:\Program Files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe                                         
O23 - Service: SAVRoam (savroam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe                                                                           
O23 - Service: Symantec Network Drivers Service (sndsrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe                           
O23 - Service: Symantec SPBBCSvc (spbbcsvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe                                   
O23 - Service: Symantec AntiVirus (symantec antivirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe                                         
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe (file missing)                                 
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe                           
                                                                                                                                                                       
--                                                                                                                                                                     
End of file - 12001 bytes





« Last Edit: April 02, 2009, 12:40:45 PM by Hoov »

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #1 on: April 02, 2009, 12:41:57 PM »
Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Now onto trying to fix your computer.

Is there a reason why you have not updated to SP3?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
    On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

    Former Consumer Security MVP
    2011-2014

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline adf1962

    • Bronze Member
    • Posts: 67
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #2 on: April 02, 2009, 07:35:28 PM »
    Hi Hoov,

    Nice to meet you and thanks for taking on my case.  Sorry for the late reply but this is my home computer and I live in EDT.

    So here's some history since I last posted.

    0.  Funny you should mention SP3, last night my updates asked me if I wanted to install SP3 but i was worried given the slow performance of my Internet that I shouldn't bother.  I see that as a mistake and maybe I should have let it run over night.

    1.  I did install mbam and ran it but the installation copy had Current Database information as of 3-26-2009 (database version 1904).

    2. I went into the msconfig and unchecked wherever I saw PRUN.  Didn't help much because more of them popped up.

    3.  When I log in, I get WGATRAY launching reminding me that I should be running a Genuine copy.  I just hit Cancel.

    4.  I ran Spybot a few times and cleaned up a few things but the same things kept popping up.

    5.  I have Symantec but it says that my scans are clean and I have the updated definitions.

    6.  I updated the Malware definitions manually as you said but  Current Database information as of 3-24-2009 (database version 1893) . . .?  I ran it anyway and it found something (which I will present to you further down). 

    7.  I uninstalled and then reinstalled Malware just to make sure I wasn't seeing things and yup, it had a later date.  I ran this copy but it said it found nothing!  Later definition, clean . . older definition, not clean.

    8.  As you will see below, I made the mistake of running something called Error Nuker.  Knew it was too good to be true.

    So Hoov, should I still do the manual update and go with the 3-24-2009?

    Should I go ahead and try SP3?

    Thanks for your time Hoov and I look forward to getting this behind us.



    ADF


    =====================================================


    Here are the results from Malware:


    Malwarebytes' Anti-Malware 1.35
    Database version: 1893
    Windows 5.1.2600 Service Pack 2

    4/2/2009 8:45:11 PM
    mbam-log-2009-04-02 (20-45-11).txt

    Scan type: Quick Scan
    Objects scanned: 111445
    Time elapsed: 11 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Error Nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    Offline Hoov

    • Malware Removal Mentors
    • Administrator
    • Diamond Member
    • Posts: 27147
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #3 on: April 02, 2009, 07:51:25 PM »
    Hold off on the update for now. When you get clean, then the update should be done.

    * Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

    Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

    Please include the C:\ComboFix.txt in your next reply for further review.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall



    Former Consumer Security MVP
    2011-2014

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline adf1962

    • Bronze Member
    • Posts: 67
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #4 on: April 02, 2009, 10:02:38 PM »
    Hi Hoov,

    Getting ComboFix was a challenge because for one thing Bleeping Computer is blocked by whatever it is I have on this machine.

    I ran ComboFix and all that I saw was a progress bar with green dots which last about 15 seconds and then . . .. nothing.  No windows of any kind.

    I disabled Norton and Spybot.

    ADF.

    Offline Hoov

    • Malware Removal Mentors
    • Administrator
    • Diamond Member
    • Posts: 27147
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #5 on: April 02, 2009, 10:48:23 PM »
    Rename combofix.exe to multifix.exe and then reboot to safe mode and run it from there.

    Former Consumer Security MVP
    2011-2014

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline adf1962

    • Bronze Member
    • Posts: 67
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #6 on: April 02, 2009, 11:18:06 PM »

    Same thing happened.

    This time I noticed that when I tried to move the file, it asked me if I wanted to extract the contents . . which I did.

    Looks like the ComboFix or Multifix contains other programs.

    Which one(s) do I run now?

    ADF

    Offline Hoov

    • Malware Removal Mentors
    • Administrator
    • Diamond Member
    • Posts: 27147
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #7 on: April 03, 2009, 08:34:40 AM »
    You don't extract the files. That part is all automatic. I would  like you to redownload it. I am sending you a PM with a new link. When you click on the link and it asks if you want to save it or run it, save it, but rename it to multifix.exe and then download it. That way there will be no problems with moving or renaming. Then reboot to safe mode and run it from the same place you saved it to when you downloaded it. So save it someplace easy to get to like the desktop.  Follow the same directions other than that though.

    Former Consumer Security MVP
    2011-2014

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline adf1962

    • Bronze Member
    • Posts: 67
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #8 on: April 08, 2009, 10:20:38 PM »
    Hi Hoov,

    Thanks for being patient while I got through some distractions.

    I ran ComboFix and it worked this time.

    Here is the report as found in ComboFix.txt

    Let me know what's next.

    ComboFix 09-04-01.01 - Administrator 2009-04-08 23:59:43.1 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1022.813 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\crosof~1.net
    c:\program files\crosof~1.net\??crosoft.NET\
    c:\windows\IE4 Error Log.txt
    c:\windows\system32\dumphive.exe
    c:\windows\system32\jhijlwpb.ini
    c:\windows\system32\mexaoxxe.ini
    c:\windows\system32\mpg4c32.dll
    c:\windows\system32\niltktic.ini
    c:\windows\system32\pdqschsd.ini
    c:\windows\system32\Process.exe
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\sstem3~1
    c:\windows\system32\sstem3~1\s?stem32\
    c:\windows\system32\tmp.reg
    c:\windows\system32\txewdxni.ini
    c:\windows\system32\ubueavxo.ini
    c:\windows\system32\VACFix.exe
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\WS2Fix.exe

    .
    (((((((((((((((((((((((((   Files Created from 2009-03-09 to 2009-04-09  )))))))))))))))))))))))))))))))
    .

    2009-04-08 21:59 . 2009-04-08 21:59   <DIR>   d--------   c:\documents and settings\Rosina\Application Data\Malwarebytes
    2009-04-02 20:55 . 2009-04-02 20:55   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
    2009-04-02 20:55 . 2009-03-26 16:49   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
    2009-04-02 20:55 . 2009-03-26 16:49   15,504   --a------   c:\windows\system32\drivers\mbam.sys
    2009-04-02 19:42 . 2009-04-02 19:42   <DIR>   d--------   c:\windows\Open RegEdit
    2009-04-02 19:42 . 2009-04-02 19:42   <DIR>   d--------   c:\program files\Open RegEdit
    2009-04-01 23:38 . 2009-04-01 23:54   <DIR>   d-a------   c:\documents and settings\All Users\Application Data\TEMP
    2009-04-01 22:49 . 2003-06-25 16:05   266,360   --a------   c:\windows\system32\TweakUI.exe
    2009-04-01 22:49 . 2002-06-21 15:09   160,217   --a------   c:\windows\system32\PowerToysLicense.rtf
    2009-04-01 21:29 . 2009-04-01 21:29   <DIR>   d--------   C:\EmergencyUtils
    2009-04-01 07:42 . 2009-04-01 07:42   <DIR>   d--------   c:\windows\system32\KB905474
    2009-04-01 07:42 . 2009-03-10 22:26   1,403,264   --a------   c:\windows\system32\KB905474\wganotifypackageinner.exe
    2009-04-01 07:42 . 2009-03-10 22:18   453,512   --a------   c:\windows\system32\KB905474\wgasetup.exe
    2009-04-01 07:42 . 2009-02-09 18:51   12,490   --a------   c:\windows\system32\KB905474\wga_eula.txt
    2009-03-31 23:13 . 2009-03-31 23:13   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-03-31 22:32 . 2008-11-06 02:03   <DIR>   d--------   C:\SDFix
    2009-03-29 00:06 . 2009-03-29 00:06   <DIR>   d--------   c:\documents and settings\Tony\Application Data\Malwarebytes
    2009-03-29 00:06 . 2009-03-29 00:06   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-27 19:28 . 2009-03-27 19:28   <DIR>   d--------   c:\documents and settings\Tony\DoctorWeb
    2009-03-26 23:42 . 2009-03-26 23:42   <DIR>   d--------   c:\documents and settings\Tony\Application Data\AVS4YOU
    2009-03-26 23:42 . 2009-03-26 23:42   <DIR>   d--------   c:\documents and settings\All Users\Application Data\AVS4YOU
    2009-03-26 23:34 . 2009-03-26 23:34   <DIR>   d--------   c:\program files\Common Files\AVSMedia
    2009-03-26 23:34 . 2008-11-17 10:40   1,700,352   --a------   c:\windows\system32\GdiPlus.dll
    2009-03-26 23:34 . 2008-11-17 10:40   524,288   --a------   c:\windows\system32\xvidcore.dll
    2009-03-26 23:34 . 2008-11-17 10:40   487,424   --a------   c:\windows\system32\msvcp70.dll
    2009-03-26 23:34 . 2008-11-17 10:40   261,632   --a------   c:\windows\system32\mcdvd_32.dll
    2009-03-26 23:34 . 2008-11-17 10:40   156,910   --a------   c:\windows\WMSysPr8.prx
    2009-03-26 23:34 . 2008-11-17 10:40   139,264   --a------   c:\windows\system32\xvidvfw.dll
    2009-03-26 23:34 . 2008-11-17 10:40   82,944   --a------   c:\windows\system32\vct3216.acm
    2009-03-26 23:34 . 2008-11-17 10:40   81,920   --a------   c:\windows\system32\AC3ACM.acm
    2009-03-26 23:34 . 2008-11-17 10:40   53,248   --a------   c:\windows\system32\xvid.ax
    2009-03-26 23:34 . 2008-11-17 10:40   38,912   --a------   c:\windows\system32\alf2cd.acm
    2009-03-26 23:34 . 2008-11-17 10:40   13,239   --a------   c:\windows\system32\Scg726.acm
    2009-03-26 23:33 . 2009-03-26 23:34   <DIR>   d--------   c:\program files\AVS4YOU
    2009-03-26 23:33 . 2008-11-17 10:40   24,576   --a------   c:\windows\system32\msxml3a.dll

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-09 03:54   ---------   d-----w   c:\program files\Symantec AntiVirus
    2009-04-08 06:32   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
    2009-04-03 03:59   ---------   d-----w   c:\program files\Spybot - Search & Destroy
    2009-04-02 04:20   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-03-30 21:59   ---------   d-----w   c:\program files\Trend Micro
    2009-02-25 01:47   ---------   d-----w   c:\program files\DivX
    2009-02-09 10:19   1,846,272   ----a-w   c:\windows\system32\win32k.sys
    2009-02-09 10:19   1,846,272   ----a-w   c:\windows\system32\dllcache\win32k.sys
    2008-12-30 15:32   106,384   ----a-w   c:\documents and settings\Rosina\Application Data\GDIPFONTCACHEV1.DAT
    2008-10-10 01:39   90,936   ----a-w   c:\documents and settings\Tony\Application Data\GDIPFONTCACHEV1.DAT
    2005-02-16 20:25   46,592   ----a-w   c:\program files\R3vfy32.exe
    2006-05-03 10:06   163,328   --sha-r   c:\windows\system32\flvDX.dll
    2007-02-21 11:47   31,232   --sha-r   c:\windows\system32\msfDX.dll
    2007-12-17 13:43   27,648   --sha-w   c:\windows\system32\Smab0.dll
    .

    ------- Sigcheck -------

    2005-06-10 20:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788   c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    2008-04-13 20:12  57856  d8e14a61acc1d4a6cd0d38aebac7fa3b   c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
    2008-10-12 01:34  58880  25fab8550338de845ada9d26b6c7e490   c:\windows\system32\spoolsv.exe
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingB532"="command" [X]
    "SpybotDeletingD952"="del" [X]
    "SpybotDeletingB9022"="command" [X]
    "SpybotDeletingD1824"="del" [X]
    "SpybotDeletingB6653"="command" [X]
    "SpybotDeletingD3403"="del" [X]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-04 235936]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-05-03 4341760]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
    "openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
    "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
    "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
    "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2007-08-09 930816]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 344064]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
    "vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-09-27 125168]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
    "MSConfig"="c:\emergencyutils\Copy_of_MSConfig.exe" [2004-08-04 158208]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-08-30 25896]
    HPAiODevice(hp psc 900 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-09-26 487484]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-07-13 450560]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-02-19 118784]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\Disney\Mix Central
    Uninstall Disney Mix-It Plug-in and Skin.lnk - c:\windows\system32\msiexec.exe [2004-08-11 78848]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=fgiurq.dll nsfbjx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420"= i420vfw.dll
    "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
    "vidc.3IV2"= 3ivxVfWCodec_dec.dll
    "VIDC.ACDV"= ACDV.dll
    "vidc.MJPG"= m3jpeg32.dll
    "vidc.dmb1"= m3jpeg32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "lphc3nvj0eca3"=c:\windows\system32\lphc3nvj0eca3.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
    "c:\\Program Files\\Alchemy Mindworks\\GIF Construction Set Professional\\ALCHUDDL.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Software AG\\Entire Connection\\v431\\PccServer.exe"=
    "c:\\Program Files\\LogiSphere\\LogiSphere.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Look@LAN\\LookAtHost.exe"=
    "c:\\Program Files\\Look@LAN\\LookAtLan.exe"=
    "c:\\Program Files\\AbelCam\\AbelCam.exe"=
    "c:\\Program Files\\Ares\\Ares.exe"=
    "c:\\Program Files\\Azureus\\Azureus.exe"=
    "c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
    "c:\\Program Files\\SecondLife\\SecondLife.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\NewsBin\\nbpro.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-13 28544]
    S1 279740b0;279740b0;c:\windows\system32\drivers\279740b0.sys --> c:\windows\system32\drivers\279740b0.sys [?]
    S3 AbelService;AbelService;c:\program files\AbelCam\AbelService.exe [2007-02-25 81920]
    S3 ENDETECT;ENDETECT;c:\progra~1\Bell\ACCESS~1\app\ENDETECT.SYS [2006-02-18 7752]
    S3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [2006-02-18 40832]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
    S3 NTSTPL1;NTSTPL1;c:\progra~1\Bell\ACCESS~1\app\NTSTPL1.SYS [2006-02-18 16160]
    S3 NTSTPL2;NTSTPL2;c:\progra~1\Bell\ACCESS~1\app\NTSTPL2.SYS [2007-05-24 16160]
    S3 RAWESR;RAWESR;c:\progra~1\Bell\ACCESS~1\app\RAWESR.SYS [2006-02-18 16256]
    S3 sasrfcService;sasrfc Service;c:\program files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe [2006-02-18 41984]
    S3 savroam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
    S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2004-06-23 23552]
    S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2007-07-25 25088]
    S3 TAPBIND;TAPBIND;c:\progra~1\Bell\ACCESS~1\app\TAPBIND1.SYS [2006-02-18 44736]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - e:\kioskviewer\bin\kioskmain.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-09 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 01:30]

    2009-04-09 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]

    2008-10-14 c:\windows\Tasks\Spybot - Search & Destroy Updater -  Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-26 15:31]

    2009-04-09 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
    HKLM-Run--FreedomNeedsReboot - c:\program files\Bell\Security Manager\ZkRunOnceR.exe
    HKLM-Run-prunnet - c:\docume~1\Tony\LOCALS~1\Temp\prun.exe
    SSODL-JcZgSr-{44A63D61-EE0C-97CB-3CAF-1B926BE92182} - c:\windows\system32\epxbne.dll
    MSConfigStartUp-prunnet - c:\docume~1\Tony\LOCALS~1\Temp\prun.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    TCP: {9541D7A2-AEB9-4B63-8C25-CD1FB2433AF1} = 192.168.2.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g6qas6e3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
    .

    **************************************************************************

    catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-09 00:06:10
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ... 

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2009-04-09  0:08:47
    ComboFix-quarantined-files.txt  2009-04-09 04:08:45

    Pre-Run: 63,196,127,232 bytes free
    Post-Run: 64,843,755,520 bytes free

    245   --- E O F ---   2009-04-01 11:42:31

    Offline Hoov

    • Malware Removal Mentors
    • Administrator
    • Diamond Member
    • Posts: 27147
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #9 on: April 08, 2009, 10:34:14 PM »
    How is your computer running now? Check out the problems you were having and see if any of them have changed at all or been fixed. Let me know.

    Former Consumer Security MVP
    2011-2014

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline adf1962

    • Bronze Member
    • Posts: 67
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #10 on: April 09, 2009, 05:11:08 AM »
    part 1 (won't let me paste everything).


    Much better.  Thanks a million.

    CMD is fixed.

    Regedit is fixed.

    IE no longer redirecting to other pages and no longer crashing.

    2 other observations:

    1. Still have Windows Genuine Advantage Notification - Installation Wizard still pops up.

    2. Spybot detected one other bug, I'll add the report later, it's too big.

    Aside from that all seems normal.  Should I install SP3 yet?

    Thanks again!

    ADF









    Offline Hoov

    • Malware Removal Mentors
    • Administrator
    • Diamond Member
    • Posts: 27147
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #11 on: April 09, 2009, 10:04:56 AM »
    Yes install SP3, you will have to install the Windows Genuine Advantage Notification eventually, probably before the SP3 will install. Let me know about the bug Spybot found.

    Former Consumer Security MVP
    2011-2014

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline adf1962

    • Bronze Member
    • Posts: 67
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #12 on: April 09, 2009, 10:08:34 AM »
    Part 2

    Here is part of the Spybot report.  It's too big to post all of it so I only put the top half with the important bits.

    Apparently it still shows prunnet.  It says fixed but not so sure.

    How do I know if the Windows Genuine Advantage Notification is legit and not a virus?

    ADF



    IRC.crt: [SBI $85946BC3] Autorun settings (prunnet) (Registry value, fixed)
      HKEY_USERS\S-1-5-21-3860373334-2885350956-181780697-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet


    --- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2008-07-07 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2009-04-02 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-01-26 advcheck.dll (1.6.2.15)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2009-01-22 Includes\Adware.sbi (*)
    2009-03-25 Includes\AdwareC.sbi (*)
    2009-01-22 Includes\Cookies.sbi (*)
    2009-03-31 Includes\Dialer.sbi (*)
    2009-03-25 Includes\DialerC.sbi (*)
    2009-01-22 Includes\HeavyDuty.sbi (*)
    2009-02-10 Includes\Hijackers.sbi (*)
    2009-03-03 Includes\HijackersC.sbi (*)
    2009-03-17 Includes\Keyloggers.sbi (*)
    2009-03-17 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2009-03-25 Includes\Malware.sbi (*)
    2009-03-31 Includes\MalwareC.sbi (*)
    2009-03-25 Includes\PUPS.sbi (*)
    2009-03-31 Includes\PUPSC.sbi (*)
    2009-01-22 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2009-03-23 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2009-01-28 Includes\Spyware.sbi (*)
    2009-01-28 Includes\SpywareC.sbi (*)
    2009-03-25 Includes\Tracks.uti
    2009-03-30 Includes\Trojans.sbi (*)
    2009-03-31 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll
    2008-03-04 Plugins\zChai.dll
    2008-03-05 Plugins\zFennel.dll
    2008-02-26 Plugins\zMate.dll
    2007-12-24 Plugins\zTCPIPAddress.dll



    --- System information ---
    Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
     / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
     / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
     / MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
     / MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
     / MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
     / Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
     / Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
     / Windows Media Encoder: Security Update for Windows Media Encoder (KB954156)
     / Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
     / Windows Media Player: Security Update for Windows Media Player (KB952069)
     / Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
     / Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
     / Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
     / Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
     / Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
     / Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
     / Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
     / Windows XP: Security Update for Windows XP (KB923689)
     / Windows XP: Security Update for Windows XP (KB941569)
     / Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
     / Windows XP / SP3: Windows XP Hotfix - KB873339
     / Windows XP / SP3: Windows XP Hotfix - KB885250
     / Windows XP / SP3: Windows XP Hotfix - KB885835
     / Windows XP / SP3: Windows XP Hotfix - KB885836
     / Windows XP / SP3: Windows XP Hotfix - KB885884
     / Windows XP / SP3: Windows XP Hotfix - KB886185
     / Windows XP / SP3: Windows XP Hotfix - KB887472
     / Windows XP / SP3: Windows XP Hotfix - KB887742
     / Windows XP / SP3: Windows XP Hotfix - KB888113
     / Windows XP / SP3: Windows XP Hotfix - KB888302
     / Windows XP / SP3: Windows XP Hotfix - KB888310
     / Windows XP / SP3: Windows XP Hotfix - KB889673
     / Windows XP / SP3: Security Update for Windows XP (KB890046)
     / Windows XP / SP3: Windows XP Hotfix - KB890175
     / Windows XP / SP3: Windows XP Hotfix - KB890859
     / Windows XP / SP3: Windows XP Hotfix - KB891781
     / Windows XP / SP3: Security Update for Windows XP (KB893756)
     / Windows XP / SP3: Windows Installer 3.1 (KB893803)
     / Windows XP / SP3: Update for Windows XP (KB894391)
     / Windows XP / SP3: Hotfix for Windows XP (KB896256)
     / Windows XP / SP3: Security Update for Windows XP (KB896358)
     / Windows XP / SP3: Security Update for Windows XP (KB896422)
     / Windows XP / SP3: Security Update for Windows XP (KB896423)
     / Windows XP / SP3: Security Update for Windows XP (KB896424)
     / Windows XP / SP3: Security Update for Windows XP (KB896428)
     / Windows XP / SP3: Security Update for Windows XP (KB896688)
     / Windows XP / SP3: Update for Windows XP (KB898461)
     / Windows XP / SP3: Security Update for Windows XP (KB899587)
     / Windows XP / SP3: Security Update for Windows XP (KB899588)
     / Windows XP / SP3: Security Update for Windows XP (KB899589)
     / Windows XP / SP3: Security Update for Windows XP (KB899591)
     / Windows XP / SP3: Update for Windows XP (KB900485)
     / Windows XP / SP3: Security Update for Windows XP (KB900725)
     / Windows XP / SP3: Security Update for Windows XP (KB901017)
     / Windows XP / SP3: Security Update for Windows XP (KB901214)
     / Windows XP / SP3: Security Update for Windows XP (KB902400)
     / Windows XP / SP3: Security Update for Windows XP (KB904706)
     / Windows XP / SP3: Security Update for Windows XP (KB905414)
     / Windows XP / SP3: Security Update for Windows XP (KB905749)
     / Windows XP / SP3: Security Update for Windows XP (KB905915)
     / Windows XP / SP3: Security Update for Windows XP (KB908519)
     / Windows XP / SP3: Security Update for Windows XP (KB908531)
     / Windows XP / SP3: Update for Windows XP (KB910437)
     / Windows XP / SP3: Security Update for Windows XP (KB911280)
     / Windows XP / SP3: Security Update for Windows XP (KB911562)
     / Windows XP / SP3: Security Update for Windows XP (KB911567)
     / Windows XP / SP3: Security Update for Windows XP (KB911927)
     / Windows XP / SP3: Security Update for Windows XP (KB912812)
     / Windows XP / SP3: Security Update for Windows XP (KB912919)
     / Windows XP / SP3: Security Update for Windows XP (KB913446)
     / Windows XP / SP3: Security Update for Windows XP (KB913580)
     / Windows XP / SP3: Security Update for Windows XP (KB914388)
     / Windows XP / SP3: Security Update for Windows XP (KB914389)
     / Windows XP / SP3: Security Update for Windows XP (KB916281)
     / Windows XP / SP3: Update for Windows XP (KB916595)
     / Windows XP / SP3: Security Update for Windows XP (KB917159)
     / Windows XP / SP3: Security Update for Windows XP (KB917344)
     / Windows XP / SP3: Security Update for Windows XP (KB917422)
     / Windows XP / SP3: Security Update for Windows XP (KB917953)
     / Windows XP / SP3: Security Update for Windows XP (KB918118)
     / Windows XP / SP3: Security Update for Windows XP (KB918439)
     / Windows XP / SP3: Security Update for Windows XP (KB918899)
     / Windows XP / SP3: Security Update for Windows XP (KB919007)
     / Windows XP / SP3: Security Update for Windows XP (KB920213)
     / Windows XP / SP3: Security Update for Windows XP (KB920214)
     / Windows XP / SP3: Security Update for Windows XP (KB920670)
     / Windows XP / SP3: Security Update for Windows XP (KB920683)
     / Windows XP / SP3: Security Update for Windows XP (KB920685)
     / Windows XP / SP3: Update for Windows XP (KB920872)
     / Windows XP / SP3: Security Update for Windows XP (KB921398)
     / Windows XP / SP3: Security Update for Windows XP (KB921503)
     / Windows XP / SP3: Security Update for Windows XP (KB921883)
     / Windows XP / SP3: Update for Windows XP (KB922582)
     / Windows XP / SP3: Security Update for Windows XP (KB922616)
     / Windows XP / SP3: Security Update for Windows XP (KB922760)
     / Windows XP / SP3: Security Update for Windows XP (KB922819)
     / Windows XP / SP3: Security Update for Windows XP (KB923191)
     / Windows XP / SP3: Security Update for Windows XP (KB923414)
     / Windows XP / SP3: Security Update for Windows XP (KB923694)
     / Windows XP / SP3: Security Update for Windows XP (KB923980)
     / Windows XP / SP3: Security Update for Windows XP (KB924191)
     / Windows XP / SP3: Security Update for Windows XP (KB924270)
     / Windows XP / SP3: Security Update for Windows XP (KB924496)
     / Windows XP / SP3: Security Update for Windows XP (KB924667)
     / Windows XP / SP3: Security Update for Windows XP (KB925454)
     / Windows XP / SP3: Security Update for Windows XP (KB925486)
     / Windows XP / SP3: Security Update for Windows XP (KB925902)
     / Windows XP / SP3: Hotfix for Windows XP (KB926239)
     / Windows XP / SP3: Security Update for Windows XP (KB926255)
     / Windows XP / SP3: Security Update for Windows XP (KB926436)
     / Windows XP / SP3: Security Update for Windows XP (KB927779)
     / Windows XP / SP3: Security Update for Windows XP (KB927802)
     / Windows XP / SP3: Update for Windows XP (KB927891)
     / Windows XP / SP3: Security Update for Windows XP (KB928090)
     / Windows XP / SP3: Security Update for Windows XP (KB928255)
     / Windows XP / SP3: Security Update for Windows XP (KB928843)
     / Windows XP / SP3: Security Update for Windows XP (KB929123)
     / Windows XP / SP3: Update for Windows XP (KB929338)
     / Windows XP / SP3: Security Update for Windows XP (KB929969)
     / Windows XP / SP3: Security Update for Windows XP (KB930178)
     / Windows XP / SP3: Update for Windows XP (KB930916)
     / Windows XP / SP3: Security Update for Windows XP (KB931261)
     / Windows XP / SP3: Security Update for Windows XP (KB931768)
     / Windows XP / SP3: Security Update for Windows XP (KB931784)
     / Windows XP / SP3: Update for Windows XP (KB931836)
     / Windows XP / SP3: Security Update for Windows XP (KB932168)
     / Windows XP / SP3: Update for Windows XP (KB933360)
     / Windows XP / SP3: Security Update for Windows XP (KB933566)
     / Windows XP / SP3: Security Update for Windows XP (KB933729)
     / Windows XP / SP3: Security Update for Windows XP (KB935839)
     / Windows XP / SP3: Security Update for Windows XP (KB935840)
     / Windows XP / SP3: Security Update for Windows XP (KB936021)
     / Windows XP / SP3: Update for Windows XP (KB936357)
     / Windows XP / SP3: Security Update for Windows XP (KB937143)
     / Windows XP / SP3: Security Update for Windows XP (KB937894)
     / Windows XP / SP3: Security Update for Windows XP (KB938127)
     / Windows XP / SP3: Update for Windows XP (KB938828)
     / Windows XP / SP3: Security Update for Windows XP (KB938829)
     / Windows XP / SP3: Security Update for Windows XP (KB939653)
     / Windows XP / SP3: Security Update for Windows XP (KB941202)
     / Windows XP / SP3: Security Update for Windows XP (KB941568)
     / Windows XP / SP3: Security Update for Windows XP (KB941644)
     / Windows XP / SP3: Security Update for Windows XP (KB941693)
     / Windows XP / SP3: Security Update for Windows XP (KB942615)
     / Windows XP / SP3: Update for Windows XP (KB942763)
     / Windows XP / SP3: Update for Windows XP (KB942840)
     / Windows XP / SP3: Security Update for Windows XP (KB943055)
     / Windows XP / SP3: Security Update for Windows XP (KB943460)
     / Windows XP / SP3: Security Update for Windows XP (KB943485)
     / Windows XP / SP3: Security Update for Windows XP (KB944338)
     / Windows XP / SP3: Security Update for Windows XP (KB944533)
     / Windows XP / SP3: Security Update for Windows XP (KB944653)
     / Windows XP / SP3: Security Update for Windows XP (KB945553)
     / Windows XP / SP3: Security Update for Windows XP (KB946026)
     / Windows XP / SP3: Update for Windows XP (KB946627)
     / Windows XP / SP3: Security Update for Windows XP (KB947864)
     / Windows XP / SP3: Security Update for Windows XP (KB948590)
     / Windows XP / SP3: Security Update for Windows XP (KB948881)
     / Windows XP / SP3: Security Update for Windows XP (KB950749)
     / Windows XP / SP4: Security Update for Windows XP (KB938464)
     / Windows XP / SP4: Security Update for Windows XP (KB946648)
     / Windows XP / SP4: Security Update for Windows XP (KB950759)
     / Windows XP / SP4: Security Update for Windows XP (KB950760)
     / Windows XP / SP4: Security Update for Windows XP (KB950762)
     / Windows XP / SP4: Security Update for Windows XP (KB950974)
     / Windows XP / SP4: Security Update for Windows XP (KB951066)
     / Windows XP / SP4: Update for Windows XP (KB951072-v2)
     / Windows XP / SP4: Security Update for Windows XP (KB951376)
     / Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
     / Windows XP / SP4: Security Update for Windows XP (KB951698)
     / Windows XP / SP4: Security Update for Windows XP (KB951748)
     / Windows XP / SP4: Hotfix for Windows XP (KB952287)
     / Windows XP / SP4: Security Update for Windows XP (KB952954)
     / Windows XP / SP4: Security Update for Windows XP (KB953838)
     / Windows XP / SP4: Security Update for Windows XP (KB953839)
     / Windows XP / SP4: Security Update for Windows XP (KB954211)
     / Windows XP / SP4: Security Update for Windows XP (KB954600)
     / Windows XP / SP4: Security Update for Windows XP (KB955069)
     / Windows XP / SP4: Update for Windows XP (KB955839)
     / Windows XP / SP4: Security Update for Windows XP (KB956390)
     / Windows XP / SP4: Security Update for Windows XP (KB956391)
     / Windows XP / SP4: Security Update for Windows XP (KB956802)
     / Windows XP / SP4: Security Update for Windows XP (KB956803)
     / Windows XP / SP4: Security Update for Windows XP (KB956841)
     / Windows XP / SP4: Security Update for Windows XP (KB957095)
     / Windows XP / SP4: Security Update for Windows XP (KB957097)
     / Windows XP / SP4: Security Update for Windows XP (KB958215)
     / Windows XP / SP4: Security Update for Windows XP (KB958644)
     / Windows XP / SP4: Security Update for Windows XP (KB958687)
     / Windows XP / SP4: Security Update for Windows XP (KB958690)
     / Windows XP / SP4: Security Update for Windows XP (KB960225)
     / Windows XP / SP4: Security Update for Windows XP (KB960714)
     / Windows XP / SP4: Security Update for Windows XP (KB960715)
     / Windows XP / SP4: Update for Windows XP (KB967715)


    --- Startup entries list ---
    Located: HK_LM:Run, ATIPTA
    command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
       file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
       size: 344064
        MD5: 6B20C23BCCAD01E454DE83D31DEAED88

    Located: HK_LM:Run, BellCanada_McciTrayApp
    command: C:\Program Files\BellCanada\McciTrayApp.exe
       file: C:\Program Files\BellCanada\McciTrayApp.exe
       size: 930816
        MD5: 725F5F65AB3FF0F410AC32133BF54B4A

    Located: HK_LM:Run, BlackBerryAutoUpdate
    command: C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
       file: C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
       size: 615696
        MD5: 5134D42A5C3EC541663FBACBCB98B689

    Located: HK_LM:Run, ccApp
    command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
       file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
       size: 52896
        MD5: 1918A1D8E67A6452720797919FA520C9

    Located: HK_LM:Run, dla
    command: C:\WINDOWS\system32\dla\tfswctrl.exe
       file: C:\WINDOWS\system32\dla\tfswctrl.exe
       size: 127035
        MD5: 2CA827BA68D0CDB5437C40C6F53D7F20

    Located: HK_LM:Run, DVDLauncher
    command: "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
       file: C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
       size: 53248
        MD5: B3E3C57FD22E71CE20389372D972C6DC

    Located: HK_LM:Run, ISUSPM Startup
    command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
       file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
       size: 205480
        MD5: 23518AA08D8B22CD27AA54FC21D0AC87

    Located: HK_LM:Run, ISUSScheduler
    command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
       file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
       size: 86960
        MD5: BD935D4F16C3B49AD58F6071A0AFFCF4

    Located: HK_LM:Run, iTunesHelper
    command: "C:\Program Files\iTunes\iTunesHelper.exe"
       file: C:\Program Files\iTunes\iTunesHelper.exe
       size: 267048
        MD5: 29ABA5DBAF0ADBFF426E7229412D6411

    Located: HK_LM:Run, LogitechVideoRepair
    command: C:\Program Files\Logitech\Video\ISStart.exe
       file: C:\Program Files\Logitech\Video\ISStart.exe
       size: 458752
        MD5: B5652E4B805E404A0D5D8177B401802A

    Located: HK_LM:Run, LogitechVideoTray
    command: C:\Program Files\Logitech\Video\LogiTray.exe
       file: C:\Program Files\Logitech\Video\LogiTray.exe
       size: 217088
        MD5: FE6E15CC578C3278755CDDFF70C2787D

    Located: HK_LM:Run, LVCOMSX
    command: C:\WINDOWS\system32\LVCOMSX.EXE
       file: C:\WINDOWS\system32\LVCOMSX.EXE
       size: 221184
        MD5: F0431C490F124A8CC874163E6A38DD28

    Located: HK_LM:Run, openvpn-gui
    command: C:\Program Files\OpenVPN\bin\openvpn-gui.exe
       file: C:\Program Files\OpenVPN\bin\openvpn-gui.exe
       size: 99328
        MD5: D5DE3333EA2BB10015F484134565DB92

    Located: HK_LM:Run, QuickTime Task
    command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
       file: C:\Program Files\QuickTime\QTTask.exe
       size: 286720
        MD5: C41FE114D9D7710EDA1189D304D85088

    Located: HK_LM:Run, RoxWatchTray
    command: "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
       file: C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
       size: 236016
        MD5: E512C8C8FB093221BB667250F253EBE9

    Located: HK_LM:Run, SoundMAXPnP
    command: C:\Program Files\Analog Devices\Core\smax4pnp.exe
       file: C:\Program Files\Analog Devices\Core\smax4pnp.exe
       size: 1404928
        MD5: 10247C15D999CC116C87DA36BD0AD64D

    Located: HK_LM:Run, SpeedTouch USB Diagnostics
    command: "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
       file: C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
       size: 4341760
        MD5: A6F53157F65DF0C61E1EB1BE1AFEFF4C

    Located: HK_LM:Run, vptray
    command: C:\PROGRA~1\SYMANT~1\\vptray.exe
       file: C:\PROGRA~1\SYMANT~1\\vptray.exe
       size: 125168
        MD5: A1307C939E5216317E363D06A5473C7D

    Located: HK_LM:Run, lphc3nvj0eca3 (DISABLED)
    command: C:\WINDOWS\system32\lphc3nvj0eca3.exe
       file: C:\WINDOWS\system32\lphc3nvj0eca3.exe
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: HK_CU:Run, msnmsgr
      where: .DEFAULT...
    command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
       file: C:\Program Files\MSN Messenger\msnmsgr.exe
       size: 5674352
        MD5: C4281AD865739E71FD1E4DAC19A68D60

    Located: HK_CU:Run, ctfmon.exe
      where: S-1-5-21-3860373334-2885350956-181780697-1006...
    command: C:\WINDOWS\system32\ctfmon.exe
       file: C:\WINDOWS\system32\ctfmon.exe
       size: 15360
        MD5: 24232996A38C0B0CF151C2140AE29FC8

    Located: HK_CU:Run, ISUSPM
      where: S-1-5-21-3860373334-2885350956-181780697-1006...
    command: "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
       file: C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
       size: 205480
        MD5: 23518AA08D8B22CD27AA54FC21D0AC87

    Located: HK_CU:Run, prunnet
      where: S-1-5-21-3860373334-2885350956-181780697-1006...
    command: "C:\DOCUME~1\Tony\LOCALS~1\Temp\prun.exe"
       file: C:\DOCUME~1\Tony\LOCALS~1\Temp\prun.exe
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: HK_CU:Run, Qchnh
      where: S-1-5-21-3860373334-2885350956-181780697-1006...
    command: "C:\Documents and Settings\Tony\My Documents\s?mbols\w?nlogon.exe"
       file: C:\Documents and Settings\Tony\My Documents\s?mbols\w?nlogon.exe
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: HK_CU:Run, SpybotSD TeaTimer
      where: S-1-5-21-3860373334-2885350956-181780697-1006...
    command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
       file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
       size: 2260480
        MD5: 390679F7A217A5E73D756276C40AE887

    Located: HK_CU:Run, swg
      where: S-1-5-21-3860373334-2885350956-181780697-1006...
    command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
       file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
       size: 68856
        MD5: E616A6A6E91B0A86F2F6217CDE835FFE

    Located: HK_CU:Run, Tair
      where: S-1-5-21-3860373334-2885350956-181780697-1006...
    command: "C:\WINDOWS\system32\SSTEM3~1\wowexec.exe" -vt ndrv
       file: C:\WINDOWS\system32\SSTEM3~1\wowexec.exe
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: HK_CU:Run, msnmsgr
      where: S-1-5-18...
    command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
       file: C:\Program Files\MSN Messenger\msnmsgr.exe
       size: 5674352
        MD5: C4281AD865739E71FD1E4DAC19A68D60

    Located: Startup (common), Adobe Reader Speed Launch.lnk
      where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
       file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
       size: 29696
        MD5: DEB88AEF013DD1EEFB462D7CAD642166

    Located: Startup (common), Event Planner Reminder.lnk
      where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
       file: C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
       size: 25896
        MD5: 6D563B2AE816E856771C1763E651022A

    Located: Startup (common), HPAiODevice(hp psc 900 series) - 1.lnk
      where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
       file: C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
       size: 487484
        MD5: 1E26C267BF205FAC2FF01EBD1716A6A7

    Located: Startup (common), Logitech Desktop Messenger.lnk
      where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
       file: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
       size: 450560
        MD5: A5E4CD281C93E174181C5873FAFD4F16

    Located: Startup (common), Microsoft Office.lnk
      where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
       file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
       size: 83360
        MD5: 5BC65464354A9FD3BEAA28E18839734A

    Located: Startup (common), NkbMonitor.exe.lnk
      where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
       file: C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
       size: 118784
        MD5: 95657F77181AEE4A905EAE06FBA74FC8

    Located: WinLogon, crypt32chain
    command: crypt32.dll
       file: crypt32.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, cryptnet
    command: cryptnet.dll
       file: cryptnet.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, cscdll
    command: cscdll.dll
       file: cscdll.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, navlogon
    command: C:\WINDOWS\system32\NavLogon.dll
       file: C:\WINDOWS\system32\NavLogon.dll
       size: 43760
        MD5: C83DFC5CD817AB5C90D3E338A5060BAE

    Located: WinLogon, ScCertProp
    command: wlnotify.dll
       file: wlnotify.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, Schedule
    command: wlnotify.dll
       file: wlnotify.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, sclgntfy
    command: sclgntfy.dll
       file: sclgntfy.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, SensLogn
    command: WlNotify.dll
       file: WlNotify.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, termsrv
    command: wlnotify.dll
       file: wlnotify.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, WgaLogon
    command: WgaLogon.dll
       file: WgaLogon.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!

    Located: WinLogon, wlballoon
    command: wlnotify.dll
       file: wlnotify.dll
       size: 0
        MD5: D41D8CD98F00B204E9800998ECF8427E
             Warning: if the file is actually larger than 0 bytes,
             the checksum could not be properly calculated!



    --- Browser helper object list ---
    {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
              location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
              BHO name:
            CLSID name: Windows Live Sign-in Helper
                  Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
             Long name: WindowsLiveLogin.dll
            Short name:       WINDOW~1.DLL
        Date (created): 4/17/2006 1:32:58 PM
    Date (last access): 4/9/2009 6:14:30 AM
     Date (last write): 4/17/2006 1:32:58 PM
              Filesize:             323904
            Attributes:           archive
                   MD5: 4D834364B09155778A3330A67EBD4621
                 CRC32:           D2CB2586
               Version:          4.0.248.1

    {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
              location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
              BHO name:
            CLSID name: Google Toolbar Helper
           description: Google toolbar
        classification: Open for discussion
        known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
             info link: http://toolbar.google.com/
           info source: TonyKlein
                  Path: C:\Program Files\Google\Google Toolbar\
             Long name:  GoogleToolbar.dll
            Short name:       GOOGLE~1.DLL
        Date (created): 10/14/2008 6:35:28 PM
    Date (last access): 4/9/2009 6:13:28 AM
     Date (last write): 11/19/2008 8:57:34 AM
              Filesize:             251504
            Attributes:           archive
                   MD5: 105EBC389FEB20A5A6DE47316001B7F1
                 CRC32:           3760EC78

    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
              location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
              BHO name:
            CLSID name: Google Toolbar Notifier BHO
                  Path: C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\
             Long name:            swg.dll
            Short name:                  
        Date (created): 3/24/2009 1:30:52 AM
    Date (last access): 4/9/2009 6:19:46 AM
     Date (last write): 3/24/2009 1:30:54 AM
              Filesize:             668656
            Attributes:           archive
                   MD5: D1585B06DED161E13B905DC4FFBF7F12
                 CRC32:           88D5BAA5
               Version:      5.1.1309.3572


    Offline Hoov

    • Malware Removal Mentors
    • Administrator
    • Diamond Member
    • Posts: 27147
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #13 on: April 09, 2009, 10:59:14 AM »
    If you run a windows update and it says it needs to be installed, then go ahead and install it. If it is a Virus, then it is written by Microsoft, and everyone who is doing updates has it. It is a program that verifies that your copy of windows is a legally installed copy, and has not been pirated from some other source.

    Former Consumer Security MVP
    2011-2014

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline adf1962

    • Bronze Member
    • Posts: 67
    Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
    « Reply #14 on: April 09, 2009, 12:55:32 PM »
    OK then, tonight I'll do the updates including SP3.

    Should i worry about

    IRC.crt: [SBI $85946BC3] Autorun settings (prunnet) (Registry value, fixed)
      HKEY_USERS\S-1-5-21-3860373334-2885350956-181780697-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet

    thanks,

    ADF