Redirect Virus of some sort

L

Leeron

New Member
What I thought was only affecting Google search results is now (and perhaps always was) affecting other search engines such as Bing and Yahoo, as well as Firefox and Opera and likely the other browsers too. I've also noticed on a few occasions random web pages opening up in both browsers. I believe it all started around yesterday afternoon if that means anything. OS is XP Pro 32 bit.

Things I've done so far:

-ran AVG free once, some trojans were found and deleted. I then uninstalled the program so I could install and run-

-Avira Free, ran three times, trojans found and deleted.

-Spyware Terminater ran three times, I believe trojans were found.

-Hitman Pro 3.5, some trojans were found and deleted.

-Malwarebytes, ran three times, first couple times some viruses were found and deleted, latest scan which I ran earlier today came up with no threats. However the problem still persists.

I have little knowledge on the subject but my guess is the Trojans kept coming back as a result of checking the internet after each of the tests, and then being redirected to the sites.


Here's my Malwarebytes log from earlier today:


Malwarebytes' Anti-Malware 1.36
Database version: 2167
Windows 5.1.2600 Service Pack 2

29/04/2010 2:03:16 PM
mbam-log-2010-04-29 (14-03-16).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 272550
Time elapsed: 51 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-------------------------------------------------------------------------


Here's the Hijack This log from earlier today:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:13:32 PM, on 29/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weatheroffice.ec.gc.ca/city/pages/ns-19_metric_e.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://weatheroffice.ec.gc.ca/city/pages/ns-19_metric_e.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre0.dll (file missing)
O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll (file missing)
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfre0.dll (file missing)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O14 - IERESET.INF: START_PAGE_URL=http://weatheroffice.ec.gc.ca/city/pages/ns-19_metric_e.html
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.37,93.188.166.126
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.37,93.188.166.126
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.37,93.188.166.126
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 10263 bytes
 
Dude,

Your malwarebytes is ages old and needs to be update and then you need to rerun the scan on your system.

Please download malwarebytes from here as it is a new version but you will still have to update the definitions after installing.


http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol

To update, open malwarebytes, click on the update tab, click on check for updates. Keep doing that until it says you have the latest version, then rescan your system and post logs from malwarebytes and hijackthis.
 
Well I ran the logs, malwarebytes found 14 threats. I had the logs in a message ready to post but as soon as I hit post reply I got directed to one of the page unavailable type pages. This same thing happened for Opera, Firefox, and Internet Explorer. I then tried posting the logs in an email so I could get them on this computer to post in this message, but of course the send email button didn't work either. I was able to post earlier today, so whatever is on my computer is getting worse despite all the viruses that have been removed.
 
You shouldn't be getting redirected just by posting on this forum. However, let's do this.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
I won't be able to post those logs though as I can't get past the forum redirect on my infected computer. Should I go ahead with what you instructed anyway? or will it be pointless without being able to post the logs?
 
If you are able to post here, you should be able to post the logs. Explain to me what happens when you copy and paste the logs in a reply here and click on submit reply.
 
Do you have a usb flash drive where you can copy the logs to it and then transfer them to the computer you are using now and then post them. If you don't have one, run combofix and see if the redirecting lessens to where you can post the logs.
 
Hijack This Log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:56:06 PM, on 29/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Documents and Settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\59ec2b05ebbdf71bf58513a060a7e7a8\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weatheroffice.ec.gc.ca/city/pages/ns-19_metric_e.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60446
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60446
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O14 - IERESET.INF: START_PAGE_URL=http://weatheroffice.ec.gc.ca/city/pages/ns-19_metric_e.html
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

------------------------------------------------------------------------


Combo Fix Log:


ComboFix 10-04-29.04 - Sam 29/04/2010 20:40:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3007.2445 [GMT -3:00]
Running from: c:\documents and settings\Sam.POWERHOUSE\Local Settings\Application Data\Opera\Opera\temporary_downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1335 [VPS 090722-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sam.POWERHOUSE\Start Menu\Programs\Startup\MagicDisc.lnk
c:\recycler\S-1-5-21-1801674531-688789844-2147161785-1004
c:\windows\run.log
c:\windows\system32\1353739406.dat
c:\windows\system32\UACrmxehtkkskkiuwmrq.db
c:\windows\system32\uactmp.db
c:\windows\wiaservim.log
D:\AUTORUN.INF

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACD.SYS


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 17:12 . 2010-04-29 17:12 388096 ----a-r- c:\documents and settings\Sam.POWERHOUSE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-29 17:12 . 2010-04-29 17:12 -------- d-----w- c:\program files\Trend Micro
2010-04-29 07:45 . 2010-04-29 07:45 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Identities
2010-04-29 03:17 . 2010-04-29 03:17 -------- d-----w- c:\program files\Opera
2010-04-29 03:02 . 2010-04-29 21:16 -------- d-----w- c:\program files\Crawler
2010-04-29 02:04 . 2010-04-29 13:55 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-29 01:52 . 2010-04-29 03:35 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-29 01:52 . 2010-04-29 02:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hitman Pro
2010-04-29 01:52 . 2010-04-29 01:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-29 01:41 . 2010-04-29 01:41 -------- d-----w- c:\documents and settings\Sam.POWERHOUSE\Application Data\Avira
2010-04-29 01:37 . 2010-04-29 23:46 -------- d-s---w- c:\temp\Cookies
2010-04-29 01:37 . 2010-04-29 01:37 -------- d-s---w- c:\temp\Temporary Internet Files
2010-04-29 01:37 . 2010-04-29 01:37 -------- d-s---w- c:\temp\History
2010-04-29 01:14 . 2010-04-29 03:34 -------- d-----w- c:\documents and settings\Sam.POWERHOUSE\Application Data\Spyware Terminator
2010-04-29 01:14 . 2010-04-29 01:14 6144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator\sp_rsdel.exe
2010-04-29 01:14 . 2010-04-29 01:14 5632 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator\fileobjinfo.sys
2010-04-29 01:14 . 2010-04-29 01:14 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-04-29 01:14 . 2010-04-29 13:56 -------- d-----w- c:\program files\Spyware Terminator
2010-04-29 01:14 . 2010-04-29 13:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator
2010-04-29 01:09 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-29 01:09 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-29 01:09 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-29 01:09 . 2010-04-29 01:09 -------- d-----w- c:\program files\Avira
2010-04-29 01:09 . 2010-04-29 01:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-04-29 01:07 . 2010-04-29 01:16 -------- d-----w- c:\temp\AVSETUP_4bd8dbcb
2010-04-28 21:56 . 2010-04-28 21:56 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData
2010-04-27 23:08 . 2000-07-08 18:06 87040 ----a-w- c:\windows\UnGins.exe
2010-04-27 23:06 . 2010-04-27 23:06 -------- d-----w- c:\documents and settings\Sam.POWERHOUSE\Local Settings\Application Data\Help
2010-04-27 23:01 . 2010-04-27 23:06 -------- d-----w- c:\program files\rpg2003
2010-04-27 22:58 . 2010-04-27 22:58 88 --sh--r- c:\documents and settings\All Users.WINDOWS\Application Data\B2662A0D5F.sys
2010-04-27 22:58 . 2010-04-27 22:58 848 --sha-w- c:\documents and settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2010-04-27 22:57 . 2010-04-27 22:57 -------- d-----w- c:\program files\Common Files\Enterbrain
2010-04-27 22:57 . 2010-04-27 22:57 -------- d-----w- c:\program files\Enterbrain
2010-04-21 02:26 . 2010-04-21 02:26 -------- d-----w- c:\documents and settings\Sam.POWERHOUSE\Application Data\com.divita.nihongoup.0847A6F69C43294B0233ECB55F0AA0E8236D3CEB.1
2010-04-21 02:26 . 2010-04-21 02:25 38784 ----a-w- c:\documents and settings\Sam.POWERHOUSE\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-21 02:26 . 2010-04-21 02:25 38784 ----a-w- c:\documents and settings\Default User.WINDOWS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-21 02:26 . 2010-04-21 02:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-21 02:26 . 2010-04-21 02:26 -------- d-----w- c:\program files\divita

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 23:48 . 2009-05-16 05:02 -------- d-----w- c:\program files\Steam
2010-04-29 21:22 . 2009-05-11 19:21 1 ----a-w- c:\documents and settings\Sam.POWERHOUSE\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-29 20:00 . 2009-05-22 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 15:19 . 2009-05-22 19:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 15:19 . 2009-05-22 19:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 14:28 . 2009-12-28 03:37 -------- d-----w- c:\program files\M-Audio
2010-04-28 21:42 . 2009-05-10 06:35 -------- d-----w- c:\documents and settings\Sam.POWERHOUSE\Application Data\uTorrent
2010-04-20 02:55 . 2010-01-20 20:48 17036 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-18 23:41 . 2009-08-04 21:19 -------- d-----w- c:\documents and settings\Sam.POWERHOUSE\Application Data\vlc
2010-03-30 17:35 . 2010-03-30 17:35 -------- d-----w- c:\program files\MagicDisc
2010-03-30 17:09 . 2010-03-30 17:09 -------- d-----w- c:\program files\The Rosetta Stone
2010-03-18 16:10 . 2009-07-01 23:08 -------- d-----w- c:\program files\Warcraft III
2010-03-11 23:34 . 2009-04-19 03:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-05 17:57 . 2010-03-04 16:27 -------- d-----w- c:\program files\DOSBox-0.73
2010-02-18 04:50 . 2009-05-09 21:19 17480 -c--a-w- c:\documents and settings\Sam.POWERHOUSE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 03:26 . 2010-02-17 03:26 118784 ----a-w- c:\windows\dsdxirmv.exe
2010-02-16 17:24 . 2009-05-23 20:50 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2006-11-18 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\documents and settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-17 133104]
"Steam"="c:\program files\Steam\Steam.exe" [2010-04-28 1238352]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-08-05 224712]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-04-29 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-18 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 61440]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2010-04-29 2176512]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-29 5937984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Sam.POWERHOUSE\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
PowerReg Scheduler V3.exe [2009-10-1 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-05-11 23:01 229376 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\steamapps\\leeron\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\leeron\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [17/02/2010 4:49 PM 16384]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [23/05/2009 7:12 PM 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [28/04/2010 10:14 PM 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [28/04/2010 10:09 PM 135336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23/05/2009 7:12 PM 20560]
R2 sensorsview32;sensorsview32;c:\windows\system32\drivers\sensorsview32.sys [03/06/2009 1:42 PM 14416]
S1 c34e2f10;c34e2f10;c:\windows\system32\drivers\c34e2f10.sys [24/05/2009 6:25 PM 0]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [09/11/2009 10:08 PM 25832]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [05/10/2006 6:06 PM 27328]
S3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [11/03/2010 8:34 PM 156552]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/09/2009 4:40 AM 722416]
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-484763869-725345543-1004Core.job
- c:\documents and settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 05:38]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-484763869-725345543-1004UA.job
- c:\documents and settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 05:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://weatheroffice.ec.gc.ca/city/pages/ns-19_metric_e.html
uInternet Settings,ProxyOverride = *.local;<local>
IE: Crawler Search - tbr:iemenu
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll
FF - ProfilePath - c:\documents and settings\Sam.POWERHOUSE\Application Data\Mozilla\Firefox\Profiles\yghy9ggr.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.ca
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Crawler\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\firefox\components\xwsg.dll
FF - plugin: c:\documents and settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{D187A56B-A33F-4CBE-9D77-459FC0BAE012} - c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
BHO-{ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfre0.dll
Toolbar-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
Toolbar-{ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfre0.dll
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - c:\program files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
WebBrowser-{ECDEE021-0D17-467F-A1FF-C7A115230949} - c:\program files\free-downloads.net\tbfre0.dll
HKCU-Run-Radio365Agent - (no file)
AddRemove-Free DVD ISO Maker (by minidvdsoft)_is1 - c:\program files\Free DVD ISO Maker\unins000.exe
AddRemove-free-downloads.net Toolbar - c:\progra~1\FREE-D~1.NET\UNWISE.EXE
AddRemove-I-Doser 4.50 - c:\program files\I-Doser\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-29 20:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{cf80bcae-c263-0c3e-014a-dd93f0c8d942}\inprocserver32*]
"jaamencnndnkcciaejoo"=hex:69,61,66,6e,6e,6b,61,6d,62,6a,64,6e,66,6e,62,68,6e,
6c,00,00
"iaamommlecflbibgpg"=hex:69,61,70,6e,70,6c,6d,65,6d,64,6e,65,63,62,66,63,6b,61,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-29 20:53:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-29 23:53

Pre-Run: 3,111,964,672 bytes free
Post-Run: 5,834,260,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
signature(fb4bfb4b)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 3F9542DEF43DA4BB85BE63DE13C6D20E

--
End of file - 8992 bytes
 
While your waiting for me to go through the logs, go ahead and run malwarebytes, make sure you update if first though. Post the log when done.
 
First of all I see that you have 2 antiviruses running at the same time, you can't have that. You need to figure out which program you want to use, either Avast or Avira and uninstall the other.

Please rerun hijackthis and place a check next to the following entries.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weatheroffice.ec.gc.ca/city/p..._metric_e.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sam.POWERHOUSE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O14 - IERESET.INF: START_PAGE_URL=http://weatheroffice.ec.gc.ca/city/pages/ns-19_metric_e.html
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll

Then click on fix checked at the bottom.

Then navigate to this file and open it with notepad.

C:\WINDOWS\system32\drivers\etc\hosts

Right click on that file and click on open and choose notepad on the list. Verify that you only have 1 entry and its

127.0.0.1 localhost

If you have more than one entry please copy and paste the list back here.

You also have an older version of adobe reader installed, please uninstall it via add/remove programs and then download the latest version here.

http://get.adobe.com/reader/?promoid=BUIGO

Just uncheck mcafee security scan before pressing download.
 
Malwarebytes Log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

30/04/2010 12:07:08 AM
mbam-log-2010-04-30 (00-07-08).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|G:\|)
Objects scanned: 306821
Time elapsed: 54 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Ok I'll do what you mentioned. As for Avast, I tried to delete that a while ago, I forgot I even still had it. For some reason it won't let me delete the folder manually by going to programs, and when I hit change/remove on the Add or Remove Programs page, it simply does nothing. The hourglass appears for a few seconds and then just disappears with no apparent effect.
 
Ok, I fixed the Hijack Me files. The hosts file you asked me to check is normal, no additional links are listed. Adobe Reader is now up to date.
 
Leeron said:
Ok I'll do what you mentioned. As for Avast, I tried to delete that a while ago, I forgot I even still had it. For some reason it won't let me delete the folder manually by going to programs, and when I hit change/remove on the Add or Remove Programs page, it simply does nothing. The hourglass appears for a few seconds and then just disappears with no apparent effect.
Click to expand...

That should be easily fixed by reinstalling the program and then uninstalling it. Has the redirecting stopped?
 
Yes all of the redirecting has stopped. Thanks a ton for all the help, you saved me a lot of headache from having to go to the local computer repair store.
 
You must log in or register to reply here.
Back
Top