Google redirect problem

[johnb35]

Well combofix still shows a possible mbr infection. Maybe you have more software installed that causes it. However, for peace of mind download and run rootkit buster by trend micro and see what it reports.

http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.80.1077.zip

You will have to extract it from the zip file. Open the program and click on scan now. View the log when done and copy and paste it back here.

 

[platypus]

Hello,

I've had some interesting developments.

Earlier today Spyware Doctor ran a scan and found a couple of infections. I'm not sure if it was the root kit we were looking for and it didn't immediately stop the redirects. I tried to find a log but couldn't. A few of the registry values it caught were located at the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\.....

Anyway, after that I ran rootkit buster and it came up clean. The log is at the bottom.

After that I cleaned out Spyware Doctor's quarantine files and restarted the computer and the redirects seem to have stopped. Granted it hasn't been that long but I'm keeping my fingers crossed. Is there anything else I should do? I'll keep you posted over the next day or so with my computer's status.

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.80.0.1077
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

 

[johnb35]

It seems everything is ok. Catchme was a false positive as that was part of the programs we used. Just keep me posted.

 

[platypus]

Hmm, so far the redirects are still gone but I'm still getting the occasional new random tab and the General Host Process Win 32 error.

 

[johnb35]

Do you have all windows updates installed? Especially this one?

http://www.microsoft.com/downloads/...-BD89-AFAD4E049C48&displaylang=en

 

[platypus]

As far as I know everything is up to date. I tried to check by connecting to Windows Update but it wouldn't load the web page. I also tried downloading the specific update that you sent and it said the Service Pack version I already have is newer.

 

[johnb35]

Download and run TDSSKiller and post the logfile by clicking on the report button after running it. Copy and paste it back here.

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

 

[mcktheknf]

This is better than a good movie!!!!!

 

[platypus]

Hello,

I ran TDSSKiller but unfortunately forgot to get the log before closing it. I did write down (as I obsessively do with everything) the malicious file it picked up. It was called "Rootkit.Win32.TDSS.tdl4" and underneath it said "MBR Name: \HardDisk0\MBR".

Anyway removing it seemed to do the trick! My computer thus far is entirely symptom free!

Incidentally, after TDSSkiller did its thing, Prevx decided to finally run, but it didn't pick up anything.

I can't thank you enough for all of your help! I'll keep you posted with my computer's status over the next couple of days. If there is anything else you think I should do, please let me know.

Again, thank you!

 

[johnb35]

Rerun combofix and post its log, lets make sure it doesn't report an mbr infection.

Download the latest version if you would please.

 

[platypus]

Here is the new ComboFix log:

ComboFix 10-10-26.01 - MegaeraJ 10/26/2010 22:41:43.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.595 [GMT -4:00]
Running from: C:\Documents and Settings\MegaeraJ\Desktop\ComboFix.exe
.
/wow section - STAGE 3

/wow section - STAGE 8
The system cannot execute the specified program.

/wow section - STAGE 27


((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-25 01:38:28 . 2010-10-25 01:38:28 161296 ----a-w- C:\WINDOWS\system32\drivers\tmcomm.sys
2010-10-24 19:05:46 . 2010-10-24 19:05:46 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-10-23 21:30:54 . 2010-10-23 21:30:54 70192 ----a-w- C:\WINDOWS\system32\PxSecure.dll
2010-10-23 21:30:53 . 2010-10-23 21:30:53 30320 ----a-w- C:\WINDOWS\system32\drivers\pxscan.sys
2010-10-23 21:30:51 . 2010-10-23 21:30:51 24400 ----a-w- C:\WINDOWS\system32\drivers\pxkbf.sys
2010-10-23 12:46:32 . 2010-10-23 20:51:57 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-23 02:53:51 . 2010-10-23 02:53:51 74752 ----a-w- C:\WINDOWS\system32\drivers\pxrts.sys
2010-10-23 02:53:49 . 2010-10-23 02:53:49 -------- d-----w- C:\Program Files\Prevx
2010-10-23 02:53:34 . 2010-10-26 23:24:58 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2010-10-22 22:32:21 . 2010-10-22 22:32:24 -------- d-----w- C:\Program Files\CCleaner
2010-10-22 04:19:29 . 2010-10-22 04:19:29 -------- d-----w- C:\Documents and Settings\MegaeraJ\Application Data\SUPERAntiSpyware.com
2010-10-22 04:19:29 . 2010-10-22 04:19:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-22 04:19:18 . 2010-10-22 04:19:35 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-10-21 19:06:09 . 2010-10-21 19:06:09 -------- d-s---w- C:\Documents and Settings\NetworkService\UserData
2010-10-21 04:51:53 . 2010-10-21 04:51:53 -------- d-----w- C:\Documents and Settings\LocalService\Application Data\McAfee
2010-10-20 22:48:13 . 2010-10-20 22:48:13 388096 ----a-r- C:\Documents and Settings\MegaeraJ\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-20 22:48:11 . 2010-10-20 22:48:11 -------- d-----w- C:\Program Files\Trend Micro
2010-10-20 21:53:30 . 2010-10-20 21:53:32 12872 ----a-w- C:\WINDOWS\system32\bootdelete.exe
2010-10-20 21:36:08 . 2010-10-20 21:36:08 16968 ----a-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2010-10-20 21:36:05 . 2010-10-20 21:36:05 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2010-10-20 21:35:28 . 2010-10-20 21:53:16 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2010-10-14 01:54:47 . 2010-09-18 06:53:25 974848 -c----w- C:\WINDOWS\system32\dllcache\mfc42.dll
2010-10-14 01:54:47 . 2010-09-18 06:53:25 953856 -c----w- C:\WINDOWS\system32\dllcache\mfc40u.dll
2010-10-14 01:54:28 . 2010-08-23 16:12:04 617472 -c----w- C:\WINDOWS\system32\dllcache\comctl32.dll
2010-10-11 03:54:55 . 2010-10-11 03:54:55 -------- d-----w- C:\Program Files\Common Files\Java
2010-10-11 03:54:39 . 2010-07-17 09:00:04 423656 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2010-10-11 03:54:39 . 2010-07-17 09:00:04 423656 ----a-w- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-11 03:45:45 . 2010-10-11 03:45:45 -------- d-----w- C:\Documents and Settings\All Users\Application Data\McAfee
2010-10-11 03:42:34 . 2010-10-21 01:18:47 16856 ----a-w- C:\Program Files\Mozilla Firefox\plugin-container.exe
2010-10-11 03:42:30 . 2010-10-21 01:18:45 719832 ----a-w- C:\Program Files\Mozilla Firefox\mozcpp19.dll
2010-10-05 04:43:25 . 2010-04-29 19:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-10-05 04:43:23 . 2010-04-29 19:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-25 00:39:58 . 2009-03-11 22:08:03 89680 ----a-w- C:\Documents and Settings\Megae\MSSSerif120.fon
2010-09-18 16:23:26 . 2004-08-12 13:59:44 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll
2010-09-18 06:53:25 . 2004-08-12 13:59:44 974848 ----a-w- C:\WINDOWS\system32\mfc42.dll
2010-09-18 06:53:25 . 2004-08-12 13:59:43 954368 ----a-w- C:\WINDOWS\system32\mfc40.dll
2010-09-18 06:53:25 . 2004-08-12 13:59:43 953856 ----a-w- C:\WINDOWS\system32\mfc40u.dll
2010-09-09 14:16:31 . 2004-08-12 14:09:30 667136 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-09-09 14:16:30 . 2004-08-12 14:07:11 61952 ----a-w- C:\WINDOWS\system32\tdc.ocx
2010-09-09 14:16:29 . 2004-08-12 13:58:00 81920 ----a-w- C:\WINDOWS\system32\ieencode.dll
2010-09-08 16:49:49 . 2004-08-12 13:57:51 369664 ----a-w- C:\WINDOWS\system32\html.iec
2010-09-08 15:17:46 . 2010-09-08 15:17:46 94208 ----a-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 . 2010-09-08 15:17:46 69632 ----a-w- C:\WINDOWS\system32\QuickTime.qts
2010-09-01 11:51:14 . 2004-08-12 13:55:52 285824 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-08-31 13:42:52 . 2004-08-12 14:09:18 1852800 ----a-w- C:\WINDOWS\system32\win32k.sys
2010-08-27 08:02:29 . 2004-08-12 14:07:02 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2010-08-27 05:57:43 . 2004-08-12 14:06:30 99840 ----a-w- C:\WINDOWS\system32\srvsvc.dll
2010-08-26 13:39:50 . 2004-08-12 14:06:30 357248 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
2010-08-26 12:52:45 . 2009-04-16 00:21:18 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
2010-08-23 16:12:04 . 2004-08-12 13:56:07 617472 ----a-w- C:\WINDOWS\system32\comctl32.dll
2010-08-17 13:17:06 . 2004-08-12 14:06:19 58880 ----a-w- C:\WINDOWS\system32\spoolsv.exe
2010-08-16 08:45:00 . 2004-08-12 14:04:26 590848 ----a-w- C:\WINDOWS\system32\rpcrt4.dll
2010-08-05 22:32:46 . 2010-08-05 22:32:46 967 ----a-w- C:\WINDOWS\ScUnin.pif
2010-08-05 22:32:46 . 2010-08-05 22:32:46 68096 ----a-w- C:\WINDOWS\ScUnin.exe
2010-04-15 22:30:03 . 2010-04-15 22:23:12 940197287 ----a-w- C:\Program Files\FEZsetup_2010-04-01.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-10-21_06.27.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-25 00:26:06 . 2010-10-25 00:26:06 16384 C:\WINDOWS\Temp\Perflib_Perfdata_f4.dat
+ 2010-10-27 01:15:32 . 2010-10-27 01:15:32 16384 C:\WINDOWS\Temp\Perflib_Perfdata_768.dat
+ 2010-10-26 04:58:00 . 2010-10-26 04:58:00 16384 C:\WINDOWS\Temp\Perflib_Perfdata_6d0.dat
+ 2008-07-22 04:56:56 . 2010-10-24 07:19:52 46685 C:\WINDOWS\system32\nvModes.dat
- 2008-07-22 04:56:56 . 2010-10-16 22:26:04 46685 C:\WINDOWS\system32\nvModes.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 20:07:20 2260480]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 14:04:57 2424560]

 

[johnb35]

You didn't post the full log.

 

[platypus]

Strange, that was all it gave me. I ran another scan and got a more complete looking log.

ComboFix 10-10-26.04 - MegaeraJ 10/27/2010 18:26:13.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.705 [GMT -4:00]
Running from: c:\documents and settings\MegaeraJ\Desktop\ComboFix.exe
.
/wow section - STAGE 10

/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MegaeraJ\LOCALS~1\Temp\FE.tmp
c:\documents and settings\MegaeraJ\Local Settings\temp\FE.tmp

.
((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-25 01:38 . 2010-10-25 01:38 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-24 19:05 . 2010-10-24 19:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-10-23 21:30 . 2010-10-23 21:30 70192 ----a-w- c:\windows\system32\PxSecure.dll
2010-10-23 21:30 . 2010-10-23 21:30 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-10-23 21:30 . 2010-10-23 21:30 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-10-23 12:46 . 2010-10-23 20:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-23 02:53 . 2010-10-23 02:53 74752 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-10-23 02:53 . 2010-10-23 02:53 -------- d-----w- c:\program files\Prevx
2010-10-23 02:53 . 2010-10-26 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-10-22 22:32 . 2010-10-22 22:32 -------- d-----w- c:\program files\CCleaner
2010-10-22 04:19 . 2010-10-22 04:19 -------- d-----w- c:\documents and settings\MegaeraJ\Application Data\SUPERAntiSpyware.com
2010-10-22 04:19 . 2010-10-22 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-22 04:19 . 2010-10-22 04:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-21 19:06 . 2010-10-21 19:06 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-10-21 04:51 . 2010-10-21 04:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-10-20 22:48 . 2010-10-20 22:48 388096 ----a-r- c:\documents and settings\MegaeraJ\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-20 22:48 . 2010-10-20 22:48 -------- d-----w- c:\program files\Trend Micro
2010-10-20 21:53 . 2010-10-20 21:53 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-10-20 21:36 . 2010-10-20 21:36 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-20 21:36 . 2010-10-20 21:36 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-20 21:35 . 2010-10-20 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-14 01:54 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:54 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:54 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-11 03:54 . 2010-10-11 03:54 -------- d-----w- c:\program files\Common Files\Java
2010-10-11 03:54 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-11 03:54 . 2010-07-17 09:00 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-11 03:45 . 2010-10-11 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-10-11 03:42 . 2010-10-21 01:18 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-10-11 03:42 . 2010-10-21 01:18 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-10-05 04:43 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-05 04:43 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-25 00:39 . 2009-03-11 22:08 89680 ----a-w- c:\documents and settings\Megae\MSSSerif120.fon
2010-09-18 16:23 . 2004-08-12 13:59 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-12 13:59 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-12 13:59 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-12 13:59 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2004-08-12 14:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2004-08-12 14:07 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2004-08-12 13:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-12 13:57 369664 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-08-12 13:55 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-12 14:09 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-12 14:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-12 14:06 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-12 14:06 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 00:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-12 13:56 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-12 14:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-12 14:04 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-05 22:32 . 2010-08-05 22:32 967 ----a-w- c:\windows\ScUnin.pif
2010-08-05 22:32 . 2010-08-05 22:32 68096 ----a-w- c:\windows\ScUnin.exe
2010-04-15 22:30 . 2010-04-15 22:23 940197287 ----a-w- c:\program files\FEZsetup_2010-04-01.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"nwiz"="nwiz.exe" [2006-05-01 1519616]
"NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-27 1287120]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-8-1 140848]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 20:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-19 07:36 133104 ----atw- c:\documents and settings\MegaeraJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Softimage\\XSI_5.11\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Prevx\\prevx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*isabled:Adobe CSI CS4
"57605:TCP"= 57605:TCPando Media Booster
"57605:UDP"= 57605:UDPando Media Booster
"1053:TCP"= 1053:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/13/2009 9:57 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/4/2010 1:28 PM 218592]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [10/23/2010 5:30 PM 30320]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [10/22/2010 10:53 PM 74752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/12/2004 10:06 AM 14336]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/4/2010 1:30 PM 112592]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [10/22/2010 10:53 PM 6407216]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/4/2010 1:28 PM 366840]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [6/3/2010 1:25 PM 2749736]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [6/3/2010 1:26 PM 113448]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [10/23/2010 5:30 PM 24400]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/3/2010 1:25 PM 15656]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/17/2009 7:26 PM 717296]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:03]

2010-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-583907252-682003330-1004Core.job
- c:\documents and settings\MegaeraJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-19 07:36]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-583907252-682003330-1004UA.job
- c:\documents and settings\MegaeraJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-19 07:36]
.
.
------- Supplementary Scan -------
.
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Free YouTube Download
FF - ProfilePath - c:\documents and settings\MegaeraJ\Application Data\Mozilla\Firefox\Profiles\ll0zv9uq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.deviantart.com/
FF - prefs.js: keyword.URL - hxxp://search.newtabking.com/?t=1&q=
FF - plugin: c:\documents and settings\MegaeraJ\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nppl3260.dll
FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 18:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2716)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\program files\Super_DVD_Creator_9.8\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\Tablet.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Tablet.exe
.
**************************************************************************
.
Completion time: 2010-10-27 18:51:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-27 22:51
ComboFix2.txt 2010-10-24 04:06
ComboFix3.txt 2010-10-22 23:22
ComboFix4.txt 2010-10-21 19:06
ComboFix5.txt 2010-10-27 02:40

Pre-Run: 115,407,699,968 bytes free
Post-Run: 115,378,405,376 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 0FE0476965E85DB25DB6B61136C6F633

 

[johnb35]

It is not saying there is an mbr infection now, so thats good news.

You said you installed Mcafee security scan plus? Technically thats not a stand alone antivirus program. That tool was made to compliment an existing installed antivirus program. I would recommend installing a free antivirus such as avg, avira or avast.

I would say your system is now clean. Just remember to update malwarebytes and run it every few days to keep malware out.

 

[platypus]

Will do. Once again, thank you so much for all of your help!