searchtracker.net - Trouble Removing

[steph7809]

Hello,

Somewhere, somehow, something got into my computer. The darn "thing" redirects me to random pages when I Google anything. I think I'm clicking on something I want to look up, and instead I end up at strange sites like random myspace pages, DIY pages, or something odd like that. Nothing bad really, just very annoying. Who knows how it got into my computer with all these new and interesting methods, but what I do know is that it's hidden in my computer but smart enough to recognize:

1) ANY website that hosts the download files for programs such as malwarebytes, SUPERantispyware, KasperKey, ComboFix, HiJackThis, and Spybot Search & Destroy. I've tried using Google Chrome (Dunno about if it'd happen in IE), FireFox, and Opera to navigate to those sites and it blocks me with a 404 error each darn time. So I tried using my husband's work laptop to navigate to those sites and download the files, and was successful. I stuck them all on my thumbdrive.

2) I've yet to use them though after my last attempt failed. I renamed ALL of them to something jibberish because when I first tried to run ComboFix as it is, or malwarebytes as it is, it blocked both of them (they did absolutely nothing, or failed to install). So right now I am running AVAST, because someone said that it wouldn't hurt to check. But I have a feeling it's not going to repair it. Someone else I read said that running trojanremover.exe repaired this exact issue for them. But I'm going to ask here first for help.

I am unable to get a Hijackthis log because if it stops malwarebytes, Combofix and so forth from executing or installing, then I can imagine it will do the same to hijack. I even tried renaming Combo (on the desktop) and reexecuting it ... guess what? Nothing happened. I tried deleting it and redownloading it (from my thumbdrive) and renaming it. Still, nothing happened. So me thinks this "thing" recognizes the file and creates some kind of block, no matter what I call it. I'm just frustrated now. I use Armor Firewall, and am very careful about sites I visit or programs I download. I only play games (stuff like Pogo.com or small PC games). That's about it, aside from chatting with friends in Mommy email loops. LOL So where this come from, I don't know! But I guess the source doesn't matter so much as the solution.

I'm running Windows XP Pro 2002 Service Pack 3. I operate on wireless internet. I DO NOT use Internet Explorer. In fact, I disabled it from running because I dislike it so very much. So this is where I'm at now. Am I able to use my thumbdrive (flash drive) while in safemode? I hope so, because I cannot get the files onto my computer without them being blocked/recognized otherwise. :( All help is appreciated. Thanks!!

[Mister2]

Hi steph7809, and Welcome to us! ;D

As you no doubt guessed, we really need a log to sort this one out.  Easier said than done!

Here are a few things to try to see if we can get HJT to run (apologies if these instructions are a bit too simplified but I'm not sure what level to pitch at):

1. Using the laptop, download HiJackThis from this link - http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe and save to your flash drive.  Open My Computer and navigate to the file you downloaded (named hijackthis.exe).  Right click and select Copy.  Right click on a blank part of the window and select Paste.  You should now see a new file named Copy of hijackthis.exe.  Right click this and choose Rename.  Change the name to try.bat and press Enter.  Now try double clicking that file to see if it runs.  (Sometimes changing the filename will allow security programs to run without interference).

2.  If that doesn't work, see if you can access your flash drive from Safe Mode.  If so then try running either of the files mentioned above (hijackthis.exe or try.bat).  You could also try running MalwareBytes MBAM from the flash drive.  If this works then run the full scan, allow it to remove anything it wants to, reboot into 'normal' mode and run HiJackThis.

3. If neither of those suggestions work, see if you can download Process Explorer from here - http://live.sysinternals.com/procexp.exe .  Run the program (computer in 'normal' mode), go to File, Save and save as Procexp.txt to your Desktop.  Attach that file to your next post.  It is possible we can disable the malware enough to get a log whilst leaving your security applications running normally.

Let me know how it goes.

[steph7809]

OK - So last night I stayed up reading, reading, reading. I've managed to quarantine the rootkit with ComboFix.
But before I did that I used a command line that reopened my antispy and allow it to update once again.
Somehow, my firewall was removed or disabled. So this weekend I will need to dig out my NVidia CD and reinstall it.
It's a hardware firewall, but as we see - not entirely impenetrable (especially if I or someone in my house accidentally gave it permission to enter).
I then had to go into safe mode, pull the ComboFix in under a jibberish name from my
thumbdrive (yippy! so glad those work in safemode!), drop the CFScript into it and run it. It found them, and dropped them into
Qoobox. (Oh, and this virus/trojan/malware/whatchamacallit is capable of disabling your system restore as well!!). Now I can run HiJackThis!

So here's what ComboFix found first:

ComboFix 09-06-23.01 - Steph 06/25/2009  2:27.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1711 [GMT -6:00]
Running from: c:\documents and settings\Steph\Desktop\xfmc1j.exe
Command switches used :: c:\documents and settings\Steph\Desktop\CFScript.txt
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\MSIVXmtutrqpoaqboucvtmnkcvjlfgsrpjelf.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXthbdiakkyxggutowypkdixmqpxwvgokx.dll
c:\windows\system32\MSIVXtletmpqjygvionvuumhdhlmaddlkyvkm.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


(((((((((((((((((((((((((   Files Created from 2009-05-25 to 2009-06-25  )))))))))))))))))))))))))))))))
.

2009-06-25 05:58 . 2009-06-25 05:58   --------   d-----w-   c:\program files\Alwil Software
2009-06-25 05:05 . 2009-06-25 05:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 00:08 . 2009-06-25 00:08   --------   d-----w-   c:\documents and settings\Steph\Application Data\Apple Computer
2009-06-24 20:09 . 2009-06-25 04:54   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\Pando
2009-06-24 20:07 . 2009-06-24 20:07   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\{3F26CA59-9AB0-47A4-9AAE-A33D10F008C9}
2009-06-23 03:26 . 2009-06-23 03:25   286720   ----a-w-   c:\windows\iun506.exe
2009-06-23 02:10 . 2009-06-23 02:10   --------   d--h--w-   c:\windows\PIF
2009-06-23 00:52 . 2009-06-23 00:54   --------   d-----w-   c:\documents and settings\Steph\Application Data\Aveyond I
2009-06-23 00:43 . 2009-06-23 00:43   --------   d-----w-   c:\documents and settings\Steph\Application Data\Aveyond II
2009-06-23 00:42 . 2009-06-23 00:42   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\Adobe
2009-06-22 06:16 . 2006-05-22 18:32   225280   ----a-w-   c:\windows\system32\cpwsave.exe
2009-06-22 06:16 . 2006-04-27 04:32   49152   ----a-w-   c:\windows\system32\uninscpw.exe
2009-06-22 06:13 . 2009-06-22 06:25   --------   d-----w-   c:\program files\CutePDF Pro
2009-06-21 04:57 . 2009-06-21 04:57   --------   d-----w-   c:\documents and settings\Master\Local Settings\Application Data\CutePDF Writer
2009-06-20 10:30 . 2009-06-22 23:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sprouts Adventure
2009-06-20 09:28 . 2009-06-20 09:28   152576   ----a-w-   c:\documents and settings\Steph\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-20 06:58 . 2009-06-20 06:58   --------   d-----w-   c:\windows\Supermarket Management
2009-06-19 00:46 . 2009-06-19 00:46   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-06-19 00:46 . 2009-06-19 00:46   --------   d-----w-   c:\program files\DivX
2009-06-18 20:01 . 2009-06-18 20:01   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\CustomStamp
2009-06-18 19:39 . 2009-06-18 20:01   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\CutePDF_Pro
2009-06-18 19:39 . 2009-06-18 19:39   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\CutePDF
2009-06-17 10:35 . 2009-06-17 10:35   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\Plan It Green Files
2009-06-17 06:59 . 2009-06-17 06:59   --------   d-----w-   c:\documents and settings\Steph\Local Settings\Application Data\Opera
2009-06-13 20:48 . 2009-06-13 20:48   --------   d-----w-   c:\documents and settings\Master\Local Settings\Application Data\Apple Computer
2009-06-05 12:28 . 2009-06-05 12:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\Reflexive
2009-06-02 08:57 . 2009-06-02 08:57   --------   d-----w-   c:\documents and settings\Steph\Application Data\funkitron
2009-05-28 01:02 . 2009-06-06 09:58   --------   d-----w-   c:\program files\Yahoo SiteBuilder
2009-05-27 06:40 . 2009-05-27 06:40   --------   d-----w-   c:\documents and settings\Steph\.thumbnails
2009-05-27 06:40 . 2009-05-27 06:41   --------   d-----w-   c:\documents and settings\Steph\.gimp-2.6
2009-05-27 06:40 . 2009-05-27 06:40   --------   d-----w-   c:\documents and settings\Steph\.gegl-0.0

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 08:00 . 2009-01-17 01:23   --------   d-----w-   c:\program files\a-squared Free
2009-06-25 05:05 . 2009-01-16 06:50   --------   d-----w-   c:\documents and settings\Steph\Application Data\GetRight
2009-06-23 23:27 . 2009-01-23 02:21   1   ----a-w-   c:\documents and settings\Steph\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-23 22:13 . 2009-02-23 21:22   16   ----a-w-   c:\windows\popcinfo.dat
2009-06-23 08:41 . 2009-04-08 12:59   --------   d-----w-   c:\documents and settings\Steph\Application Data\FileZilla
2009-06-22 06:22 . 2009-01-16 04:22   --------   d-----w-   c:\program files\Common Files\Adobe
2009-06-22 06:11 . 2009-01-16 22:10   --------   d-----w-   c:\program files\Acro Software
2009-06-20 09:29 . 2009-01-16 08:12   --------   d-----w-   c:\program files\Java
2009-06-17 07:27 . 2009-01-20 05:36   --------   d-----w-   c:\program files\Yahoo!
2009-06-04 21:58 . 2009-01-20 09:46   --------   d-----w-   c:\documents and settings\Steph\Application Data\PlayFirst
2009-06-04 21:58 . 2009-01-20 09:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\PlayFirst
2009-05-28 14:12 . 2009-02-23 01:19   --------   d-----w-   c:\documents and settings\Master\Application Data\gtk-2.0
2009-05-28 05:45 . 2009-03-25 05:39   --------   d-----w-   c:\documents and settings\Steph\Application Data\Alien Skin
2009-05-24 04:52 . 2009-05-24 04:52   360   ----a-w-   C:\drmHeader.bin
2009-05-12 00:58 . 2009-05-12 00:58   --------   d-----w-   c:\documents and settings\Steph\Application Data\XemiComputers
2009-05-09 18:45 . 2009-05-09 18:03   27237228   ----a-w-   c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\GameDB\F2047T1L1\setup_gF2047T1L1_d518949303_l1_s1.exe
2009-05-09 18:28 . 2009-05-09 18:28   --------   d-----w-   c:\program files\IncrediGames
2009-05-09 18:28 . 2009-05-09 18:28   --------   d-----w-   c:\program files\Common Files\Oberon Media
2009-05-09 18:28 . 2009-01-20 10:11   --------   d-----w-   c:\program files\Oberon Media
2009-05-09 18:01 . 2009-05-09 18:01   --------   d-----w-   c:\program files\bfgclient
2009-05-09 18:01 . 2009-05-09 18:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-05-09 18:01 . 2009-05-09 18:00   2081496   ----a-w-   c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-05-02 05:49 . 2009-01-16 10:45   --------   d-----w-   c:\program files\IncrediMail
2009-05-01 21:02 . 2009-05-01 21:02   90112   ----a-w-   c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02   823296   ----a-w-   c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02   823296   ----a-w-   c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02   815104   ----a-w-   c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02   811008   ----a-w-   c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02   802816   ----a-w-   c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02   685056   ----a-w-   c:\windows\system32\DivX.dll
2009-04-21 22:39 . 2009-01-17 10:56   280856   ----a-w-   c:\documents and settings\Steph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 20:51 . 2009-04-23 08:50   294912   ----a-w-   c:\windows\system32\TubeFinder.exe
2009-04-20 17:36 . 2009-04-20 17:36   128   ----a-w-   c:\documents and settings\Steph\Local Settings\Application Data\fusioncache.dat
2009-04-07 11:07 . 2009-04-07 11:07   251307   ----a-w-   c:\windows\CoffeeCup Visual Site Designer Uninstaller.exe
2009-04-07 10:54 . 2009-04-07 10:55   107512   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{14CB663A-F40C-4F6F-981D-21A6392B1192}\setup.exe
2009-04-07 10:54 . 2009-04-07 10:55   155648   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{14CB663A-F40C-4F6F-981D-21A6392B1192}\_setup.dll
2009-04-07 10:48 . 2009-04-07 10:49   107512   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{239AB56F-C2CB-4DF5-B935-7D739623D56F}\setup.exe
2009-04-07 10:48 . 2009-04-07 10:49   155648   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{239AB56F-C2CB-4DF5-B935-7D739623D56F}\_setup.dll
2009-04-07 10:47 . 2009-04-07 10:47   155648   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{8BA676DE-6239-4D76-941A-C7B9A1501735}\_setup.dll
2009-04-07 10:47 . 2009-04-07 10:47   107512   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{8BA676DE-6239-4D76-941A-C7B9A1501735}\setup.exe
2009-04-07 09:29 . 2009-04-07 09:29   107512   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{184D95BE-B66A-4534-97E6-4C6A44032C6E}\setup.exe
2009-04-07 09:29 . 2009-04-07 09:29   155648   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{184D95BE-B66A-4534-97E6-4C6A44032C6E}\_setup.dll
2009-04-07 09:13 . 2009-04-07 09:14   107512   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{CB4AF7DA-CE59-41A9-93A6-DA921F809361}\setup.exe
2009-04-07 09:13 . 2009-04-07 09:14   155648   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{CB4AF7DA-CE59-41A9-93A6-DA921F809361}\_setup.dll
2009-04-07 08:44 . 2009-04-07 08:45   107512   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{B4572608-DFF7-4E77-A8DD-D814DB87787A}\setup.exe
2009-04-07 08:44 . 2009-04-07 08:45   155648   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{B4572608-DFF7-4E77-A8DD-D814DB87787A}\_setup.dll
2009-04-07 08:24 . 2009-04-07 08:25   107512   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{EC90EAE9-0E03-44A1-BF36-0B670B8B8E19}\setup.exe
2009-04-07 08:24 . 2009-04-07 08:25   155648   ----a-w-   c:\documents and settings\Steph\Application Data\InstallShield Installation Information\{EC90EAE9-0E03-44A1-BF36-0B670B8B8E19}\_setup.dll
2009-04-06 07:15 . 2009-04-06 07:15   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2002-08-01 01:55 . 2007-06-23 17:50   1683   --sh--w-   c:\windows\WSYS049.SYS
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-05-27 1573104]
"Google Update"="c:\documents and settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-25 133104]
"Active Desktop Calendar"="e:\stephanie\Misc. Files\Programs Installed\Active Desktop Calendar\ADC.exe" [2009-04-10 4491776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-31 1953792]
"Airlink101 Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-11-30 1949696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"LogonStudio"="e:\stephanie\Misc. Files\Programs Installed\LogonStudio\logonstudio.exe" [2002-09-04 987187]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-26 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-26 1657376]

c:\documents and settings\Steph\Start Menu\Programs\Startup\
CoffeeCup Popup Blocker.lnk - e:\stephanie\Misc. Files\Programs Installed\CoffeeCup PopUp Blocker\PopupBlocker.exe [2009-4-7 1015296]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{9944aa9e-362d-11d3-81ab-00c04fb932ba}\1960F8A9.exe [2009-3-26 29184]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2009-3-15 13357056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LegacyDrive"= ffd6ed003402489c9867a51e8782e2fd67ac4281309210d72be68665f954ec5bd8b8048b228ea67a16a9a8b7db28006bc2a72d32ccb2d2296c7fa
5488edc87f3d766f4cb2ffc9eca7d73558fdbb18b2af60822d4ec8ba85382d9d3d23f2794d2bb85498569633478b5532c754f1092a8c6c08700587
65cd808fb4ad7f2ce6415dc69c97f0dc61e7c62223cd09e0125c102723d791d94b7ace6d2594d7b088a34977d0c4fa95e61a2f2fa710a2e258b2cb
fd2a7ac07e5ee9f16427c42852a64eca1c7f441cc053ba921a4c900578bb68fe860e53c72558afd5d45ea93beff62747be1ab09b0aaec5c195289b1
8512798a3785d1b755811772baca162da6ee308fb46df5b90d1df3cddccdd0b1012997100add50a25ffed3aebca5ddcde5dd64f095bf28a4b7db8b
95d8daa251dd628c4ff13a03ed30c2af3044ed36c450b652448ffdb8a4f66db118bcf7c1271a7f86014fd5e212e8e65cd73e34c4f14083167873d5a
191369969434b20c98693505d9d199c1ea65233cf70a378998c24b3f2a7dfa406c216eda2c9b3493a3be845b8ae09b43036e7f712cfa27ca3fbbe85
aeab792b76635ca2f09a11be2f5f74b62043ec287772fc5ee92315d09c33afeadc0c970f0fcc8bddeba304b3e67d53ed70eee2ef7e5b1a0e10229472
a74b8886dba5dca958b845ca27fbae352e47ddacfb8c54babdc275449323ea610a98446be071e2560e5815410688814b3a3ac7a8dd6060f4ed96cc
I CUT THIS OFF - IT'S INSANELY LONG!!

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-01-17 09:46   184320   ----a-w-   e:\stephanie\Misc. Files\Programs Installed\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="e:\stepha~1\MISC~1.FIL\PROGRA~1\YAHOOM~1\MESSEN~1\YAHOOM~1.EXE" -quiet
"Google Update"="c:\documents and settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"e:\\Stephanie\\Misc. Files\\Programs Installed\\Yahoo Messenger\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImPackr.exe"=
"e:\\Stephanie\\Misc. Files\\Programs Installed\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImSc.exe"=

R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [3/15/2009 11:25 PM 54432]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [11/16/2007 11:56 AM 550272]
.
Contents of the 'Scheduled Tasks' folder

2009-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1604221776-839522115-1004.job
- c:\documents and settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-25 20:59]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.incredimail.com/app/?tag=page_app_welcome&lang=9&version=5863924&setup_id=7&aff_id=102&addon=IncrediMail
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 02:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1604221776-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:bf,23,18,37,21,63,11,5f,14,a3,91,c7,b5,3d,82,b9,cc,39,c7,fa,d8,
   ba,d9,1b,f0,ff,c2,e2,3b,93,f1,b5,13,7e,4f,aa,42,ce,bc,f8,89,53,e0,86,67,67,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3782D402-1413-2B4D-D5B93EB7648B29D4}\{9536055C-1E13-65AB-BABDBD84391B7DD3}\{70487E18-04C4-4686-6F59FE851A688CA9}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
   5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{62B9DDBB-52F0-AEDA-13C9CB9FD8297A44}\{829B01D7-8AAE-A7FF-AA7986A64CC9B9E2}\{E296BA6F-1F6D-20AF-CDC0E27325509C67}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
   5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7DD3F40A-D355-6812-5F38C6DF25C81416}\{ABD6C561-23A4-DB1A-8071BFAD90F4BBA7}\{44979372-8107-77C6-62A4A40E954B2869}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
   5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B7C188CC-C656-22D1-E21234AD513F53A3}\{781F7726-F470-BDBE-E3632254F9ABE08C}\{D5A0EB3A-C033-B7E9-DCA15AB75FD5AB8C}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
   5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
e:\stephanie\Misc. Files\Programs Installed\WindowBlinds\wbsrv.dll

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-06-25  2:31
ComboFix-quarantined-files.txt  2009-06-25 08:31

Pre-Run: 137,348,808,704 bytes free
Post-Run: 137,381,191,680 bytes free

216

And now for HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:18 PM, on 6/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
E:\Stephanie\Misc. Files\Programs Installed\Active Desktop Calendar\ADC.exe
C:\Documents and Settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.incredimail.com/app/?tag=page_app_welcome&lang=9&version=5863924&setup_id=7&aff_id=102&addon=IncrediMail
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CoffeeCup Software Popup Blocker - {49E0E0F0-5C30-11D4-945D-010002000012} - E:\STEPHA~1\MISC~1.FIL\PROGRA~1\CO7B64~1\CCPOPB~1.DLL
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\CutePDF Pro\CPFillerCo.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [LogonStudio] "E:\Stephanie\Misc. Files\Programs Installed\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steph\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Stephanie\Misc. Files\Programs Installed\Active Desktop Calendar\ADC.exe
O4 - Startup: CoffeeCup Popup Blocker.lnk = E:\Stephanie\Misc. Files\Programs Installed\CoffeeCup PopUp Blocker\PopupBlocker.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7008 bytes

Although the files are current contained, I'd like them totally off my system, so no one accidentally restores them.
But I won't do anything to them until I hear back from you. I can say that at this time, I am back to Googling normally
(sounds funny). But I want to be very sure I'm clean and then I'm going to reinstall my antivirus programs and firewall.

[steph7809]

Quick side question:

2009-04-21 20:51 . 2009-04-23 08:50   294912   ----a-w-   c:\windows\system32\TubeFinder.exe

Is this dangerous? I know it was placed there by my FLV converter program, which I had to download in order to convert my SonyCam videos of home/family movies at special events to be viewable on my desktop and allow me to burn/save them to DVD for my home movies collection. But when I was researching it, I saw that it could be the target of malware or manipulation. Should I have it on my system or remove it and find a safer way to convert my FLV files?

[Mister2]

Hi again,

Great news that you can now run HJT!
I don't believe TubeFinder.exe is dangerous in itself but I have seen this file offered on dubious sites that may use the same name but contain malicious software.  You could check it out by uploading the file here - http://www.virustotal.com/ - to get it scanned automatically.

However, the important point I need to make is that you need to post your HJT log in this forum - http://spywarehammer.com/simplemachinesforum/index.php?board=10.0
We only allow our highly trained staff to work on logs (I'm not trained in that area) and they will also guide you through dealing with your ComboFix log. 

On that basis, please
- Read this post - http://spywarehammer.com/simplemachinesforum/index.php?topic=88.0
- Post your log together with a link to this thread:

Code: [Select]

http://spywarehammer.com/simplemachinesforum/index.php?topic=3922.0- Wait until someone comes along to advise you

We use this system to make sure everyone receives the highest level of assistance and to prevent unauthorised advice from misleading you.

Well done for getting this far on you own (not an easy task!) and good luck! :)

[steph7809]

Thank you so very much for your assistance (even if you aren't trained to help me) ;)

I've fully isolated the rootkit, removed it and have protected my PC properly now with much reading through this forum and other forums that are being flooded with this same issue. It would appear as though I downloaded a bad codec and without realizing it, it infected me. Serves me right for breaking the rules. LOL So now I've got SUPERAntispyware, SpywareGuard, SpywareBlaster, NoScript, CCleaner, Armor Firewall (hardware firewall), and AVG all running to help ensure I do not encounter this problem again. I owe this forum and it's staffers a big THANK YOU! :D If I could hug you all, I would. LOL You can close this topic as resolved now!

[Mister2]

You're most welcome :)
Glad you got it sorted!

Just a point to bear in mind for the future.  You are running 2 anti-spyware apps (SuperAntiSpyware and SpywareGuard).  If you notice any unusual behaviour such as slowdowns, conflicts or errors then try disabling the real-time scanner in one of those apps.  It seems others are using that combination quite happily, but the general rule is to run one AV and one anti-spyware in real-time.

Having said that, if it works for you then carry on!

Happy computing! ;D