Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Google Redirect Virus
- Thread starter scott15
- Start date
Scott, hmmmphf... I know you are a newbie, but this is rediculous at best...
if you had taken the time, that you wrote the above question and searched the forum first, you probably would have come to an answer...
SEE:
thread760-1457373
thread760-1481488
thread760-1493359
thread760-1495350
thread760-1496030
thread760-1512086
thread760-1517005
and this one especially...
thread760-1524926
Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
if you had taken the time, that you wrote the above question and searched the forum first, you probably would have come to an answer...
SEE:
thread760-1457373
thread760-1481488
thread760-1493359
thread760-1495350
thread760-1496030
thread760-1512086
thread760-1517005
and this one especially...
thread760-1524926
Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
DarcyDuarte
Technical User
Hi, everytime i search something in google and click on the link, it redirects me somewhere else. I have run both ComboFix, and HJT and here are my logs. I'm somewhat of an intermediate comp user and dont know too much. Could you please help me on what to do next.
COMBOFIX LOG:
ComboFix 09-03-23.01 - Guido Rossi 2009-03-24 7:52:58.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.174 [GMT -4:00]
Running from: c:\users\Guido Rossi\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\recycler\S-5-0-43-100005259-100026804-100003027-8830.com
c:\windows\system32\drivers\gaopdxpmfhcwrwpqrepnesnradwnubrysdyohb.sys
c:\windows\system32\gaopdxvbkhfndehsrhlxerxwqvafewwttukbeo.dll
D:\Autorun.inf
d:\recycler\S-5-0-43-100005259-100026804-100003027-8830.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 18:00 --------- d-----w c:\users\Guido Rossi\AppData\Roaming\ZoomBrowser EX
2009-03-23 18:00 --------- d-----w c:\programdata\ZoomBrowser
2009-02-26 14:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 14:02 --------- dc-h--w c:\programdata\{241AA17E-2FB3-447A-AE5F-042D03968674}
2009-02-26 14:01 --------- d-----w c:\programdata\Symantec
2009-02-26 13:49 --------- d-----w c:\program files\Citrix
2009-02-26 13:21 --------- d-----w c:\program files\Axis Communications
2009-02-26 13:20 --------- dc-h--w c:\programdata\{3937B316-00D5-475B-9A93-E684EF193DB1}
2009-02-26 13:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 16:34 4 ----a-w c:\users\Guido Rossi\AppData\Roaming\VicoLM4.dat
2009-02-20 16:33 --------- dc-h--w c:\programdata\{4CDF8022-1D60-4D48-8FEE-286D3FDC70A4}
2009-02-20 16:26 --------- d-----w c:\program files\WMV9_VCM
2009-02-20 16:17 4 ----a-w c:\users\Guido Rossi\AppData\Roaming\VicoLM3.dat
2009-02-20 16:04 --------- d-----w c:\users\Guido Rossi\AppData\Roaming\Vico Software
2009-02-20 15:46 4 ----a-w c:\users\Guido Rossi\AppData\Roaming\VicoLM1.dat
2009-02-20 15:46 --------- d-----w c:\programdata\Vico Software
2009-02-20 15:42 --------- d-----w c:\program files\QuickTime
2009-02-20 15:40 --------- d-----w c:\programdata\Apple Computer
2009-02-20 15:30 --------- d-----w c:\program files\Common Files\Vico Software
2009-02-06 14:58 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-06 14:58 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-05 13:44 --------- d-----w c:\programdata\avg8
2008-08-13 11:55 40,536 ----a-w c:\windows\inf\Usbkey.sys
2008-07-25 13:31 60,744 ----a-w c:\users\Guido Rossi\g2mdlhlpx.exe
2008-07-23 07:09 174 --sha-w c:\program files\desktop.ini
2007-07-25 00:33 262,144 ----a-w c:\programdata\ntuser.dat
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-09-30 05:14 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-30 05:14 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-30 05:14 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-05 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-05 81920]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-12 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-11 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 530552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-18 185896]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-11-24 622592]
"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]
"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]
"LXCQCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"QuickTime Task"="C:\qttask.exe" [2006-09-01 282624]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-07 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{128D9B34-0816-472F-B2E6-272C5EE6FFA4}"= Profile=Private|c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{DAD0F01E-1599-4454-AE77-9E067ADC8109}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{114FCF6C-A4A4-469D-9B9C-0C0FE3BCA0F2}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5A038611-E806-4A73-A946-00BDC7FCFEE3}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{989DFC65-02EB-4096-81C4-1B13D34003CE}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F2689274-5F55-48FD-8083-7AB0033D51CB}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C4AA65F2-5822-470A-B042-C5609EE7DCB2}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3C6FBB3A-CF99-4D26-84F5-0C5519BAB76A}"= Disabled:c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{1F711E7E-22EE-4236-9432-BC77EE1F690A}"= Disabled:UDP:135:TCP Port 135
"{F191DC9A-9599-477E-82A4-056F48050898}"= Disabled:UDP:5000:TCP Port 5000
"{A1EA90D0-76FF-48B2-9DAC-8FACF926C68E}"= Disabled:UDP:5001:TCP Port 5001
"{8C7B5584-00E2-4BD8-9B6C-223EDA886491}"= Disabled:UDP:5002:TCP Port 5002
"{E2CAC4D4-6B0C-4BA8-9E9C-D0CBFF4B0E0D}"= Disabled:UDP:5003:TCP Port 5003
"{57066699-798E-483B-AF9B-D02D353B8186}"= Disabled:UDP:5004:TCP Port 5004
"{583F9229-19D1-4C27-BFA0-DCE6B94E0FF3}"= Disabled:UDP:5005:TCP Port 5005
"{E946AC37-86F6-41A6-B700-975ADE692B98}"= Disabled:UDP:5006:TCP Port 5006
"{B8F66D54-A033-4845-B3CA-49630BB7101E}"= Disabled:UDP:5007:TCP Port 5007
"{8E2CC371-6199-435F-A25D-625AEFC15BC6}"= Disabled:UDP:5008:TCP Port 5008
"{CEB2FCCB-95A5-4AAF-8CCE-3E24B1540723}"= Disabled:UDP:5009:TCP Port 5009
"{A7E49584-4C7F-40B4-B424-BF3B2ADE6C14}"= Disabled:UDP:5010:TCP Port 5010
"{6DD8BBB1-FC65-4313-BD06-B11EBC8F2DD9}"= Disabled:UDP:5011:TCP Port 5011
"{5CA37C8B-4D66-48C1-9E60-97DB544D05B1}"= Disabled:UDP:5012:TCP Port 5012
"{C623054E-1ADB-48B5-9936-793246F929F1}"= Disabled:UDP:5013:TCP Port 5013
"{627422FD-5D4D-4887-8CDC-3751E7D7375C}"= Disabled:UDP:5014:TCP Port 5014
"{28CFF176-81A7-47E6-B8F2-374F29A87D30}"= Disabled:UDP:5015:TCP Port 5015
"{16BC7852-933D-46FD-89D5-9B4175A96872}"= Disabled:UDP:5016:TCP Port 5016
"{C9006BEB-8A69-4535-B01E-BAA39A2274F3}"= Disabled:UDP:5017:TCP Port 5017
"{0A116864-3742-4BC2-B1D2-18234BBAF7A0}"= Disabled:UDP:5018:TCP Port 5018
"{C255E763-43E0-4CF0-B906-D39F91A21F83}"= Disabled:UDP:5019:TCP Port 5019
"{6A837AFB-6DB7-4724-894A-BB0CB91DF096}"= Disabled:UDP:5020:TCP Port 5020
"{65D653C9-48E8-4886-9C02-702CAF5414EE}"= UDP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
"{9142BBA1-B9E5-486C-8204-99BC1572E4F4}"= TCP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
"{DB031FF2-12C9-4707-9D82-755FC0A6828B}"= Disabled:UDP:135:TCP Port 135
"{90A2F530-9355-4E7A-BE89-FAC5AE8703BC}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FB36A0EE-28F1-4EFC-B695-087F05EC821D}"= UDP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
"{1F4C11B6-9472-485C-A2AE-75E5573B1337}"= TCP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"= c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2008-12-05 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264]
R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]
R2 VERSANTD;VERSANTD;c:\versant\7_0_1\bin\versantd.exe [2007-10-24 19456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [2006-12-06 7168]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
2009-03-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-RunOnce-Shockwave Updater - c:\windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1; .NET CLR 1.1.4322; .NET
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
mSearch Bar = hxxp://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: avenuegroup.ca\sbs
FF - ProfilePath - c:\users\Guido Rossi\AppData\Roaming\Mozilla\Firefox\Profiles\6lco5giy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US
fficial
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", ".
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2009-03-24 07:57:46
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCQCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
Completion time: 2009-03-24 8:00:10
ComboFix-quarantined-files.txt 2009-03-24 12:00:08
Pre-Run: 64,353,193,984 bytes free
Post-Run: 65,010,286,592 bytes free
212 --- E O F --- 2008-08-06 07:04:11
AND HERE IS MY HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:27 AM, on 24/03/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 9300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetFxUpdate_v1.1.4322] "C:\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 1 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcq_device - - C:\Windows\system32\lxcqcoms.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VERSANTD - Unknown owner - C:\VERSANT\7_0_1\bin\versantd.exe
--
End of file - 7655 bytes
COMBOFIX LOG:
ComboFix 09-03-23.01 - Guido Rossi 2009-03-24 7:52:58.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.174 [GMT -4:00]
Running from: c:\users\Guido Rossi\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\recycler\S-5-0-43-100005259-100026804-100003027-8830.com
c:\windows\system32\drivers\gaopdxpmfhcwrwpqrepnesnradwnubrysdyohb.sys
c:\windows\system32\gaopdxvbkhfndehsrhlxerxwqvafewwttukbeo.dll
D:\Autorun.inf
d:\recycler\S-5-0-43-100005259-100026804-100003027-8830.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 18:00 --------- d-----w c:\users\Guido Rossi\AppData\Roaming\ZoomBrowser EX
2009-03-23 18:00 --------- d-----w c:\programdata\ZoomBrowser
2009-02-26 14:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 14:02 --------- dc-h--w c:\programdata\{241AA17E-2FB3-447A-AE5F-042D03968674}
2009-02-26 14:01 --------- d-----w c:\programdata\Symantec
2009-02-26 13:49 --------- d-----w c:\program files\Citrix
2009-02-26 13:21 --------- d-----w c:\program files\Axis Communications
2009-02-26 13:20 --------- dc-h--w c:\programdata\{3937B316-00D5-475B-9A93-E684EF193DB1}
2009-02-26 13:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 16:34 4 ----a-w c:\users\Guido Rossi\AppData\Roaming\VicoLM4.dat
2009-02-20 16:33 --------- dc-h--w c:\programdata\{4CDF8022-1D60-4D48-8FEE-286D3FDC70A4}
2009-02-20 16:26 --------- d-----w c:\program files\WMV9_VCM
2009-02-20 16:17 4 ----a-w c:\users\Guido Rossi\AppData\Roaming\VicoLM3.dat
2009-02-20 16:04 --------- d-----w c:\users\Guido Rossi\AppData\Roaming\Vico Software
2009-02-20 15:46 4 ----a-w c:\users\Guido Rossi\AppData\Roaming\VicoLM1.dat
2009-02-20 15:46 --------- d-----w c:\programdata\Vico Software
2009-02-20 15:42 --------- d-----w c:\program files\QuickTime
2009-02-20 15:40 --------- d-----w c:\programdata\Apple Computer
2009-02-20 15:30 --------- d-----w c:\program files\Common Files\Vico Software
2009-02-06 14:58 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-06 14:58 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-05 13:44 --------- d-----w c:\programdata\avg8
2008-08-13 11:55 40,536 ----a-w c:\windows\inf\Usbkey.sys
2008-07-25 13:31 60,744 ----a-w c:\users\Guido Rossi\g2mdlhlpx.exe
2008-07-23 07:09 174 --sha-w c:\program files\desktop.ini
2007-07-25 00:33 262,144 ----a-w c:\programdata\ntuser.dat
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-09-30 05:14 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-30 05:14 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-30 05:14 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-05 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-05 81920]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-12 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-11 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 530552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-18 185896]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-11-24 622592]
"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]
"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]
"LXCQCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"QuickTime Task"="C:\qttask.exe" [2006-09-01 282624]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-07 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{128D9B34-0816-472F-B2E6-272C5EE6FFA4}"= Profile=Private|c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{DAD0F01E-1599-4454-AE77-9E067ADC8109}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{114FCF6C-A4A4-469D-9B9C-0C0FE3BCA0F2}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5A038611-E806-4A73-A946-00BDC7FCFEE3}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{989DFC65-02EB-4096-81C4-1B13D34003CE}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F2689274-5F55-48FD-8083-7AB0033D51CB}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C4AA65F2-5822-470A-B042-C5609EE7DCB2}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3C6FBB3A-CF99-4D26-84F5-0C5519BAB76A}"= Disabled:c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{1F711E7E-22EE-4236-9432-BC77EE1F690A}"= Disabled:UDP:135:TCP Port 135
"{F191DC9A-9599-477E-82A4-056F48050898}"= Disabled:UDP:5000:TCP Port 5000
"{A1EA90D0-76FF-48B2-9DAC-8FACF926C68E}"= Disabled:UDP:5001:TCP Port 5001
"{8C7B5584-00E2-4BD8-9B6C-223EDA886491}"= Disabled:UDP:5002:TCP Port 5002
"{E2CAC4D4-6B0C-4BA8-9E9C-D0CBFF4B0E0D}"= Disabled:UDP:5003:TCP Port 5003
"{57066699-798E-483B-AF9B-D02D353B8186}"= Disabled:UDP:5004:TCP Port 5004
"{583F9229-19D1-4C27-BFA0-DCE6B94E0FF3}"= Disabled:UDP:5005:TCP Port 5005
"{E946AC37-86F6-41A6-B700-975ADE692B98}"= Disabled:UDP:5006:TCP Port 5006
"{B8F66D54-A033-4845-B3CA-49630BB7101E}"= Disabled:UDP:5007:TCP Port 5007
"{8E2CC371-6199-435F-A25D-625AEFC15BC6}"= Disabled:UDP:5008:TCP Port 5008
"{CEB2FCCB-95A5-4AAF-8CCE-3E24B1540723}"= Disabled:UDP:5009:TCP Port 5009
"{A7E49584-4C7F-40B4-B424-BF3B2ADE6C14}"= Disabled:UDP:5010:TCP Port 5010
"{6DD8BBB1-FC65-4313-BD06-B11EBC8F2DD9}"= Disabled:UDP:5011:TCP Port 5011
"{5CA37C8B-4D66-48C1-9E60-97DB544D05B1}"= Disabled:UDP:5012:TCP Port 5012
"{C623054E-1ADB-48B5-9936-793246F929F1}"= Disabled:UDP:5013:TCP Port 5013
"{627422FD-5D4D-4887-8CDC-3751E7D7375C}"= Disabled:UDP:5014:TCP Port 5014
"{28CFF176-81A7-47E6-B8F2-374F29A87D30}"= Disabled:UDP:5015:TCP Port 5015
"{16BC7852-933D-46FD-89D5-9B4175A96872}"= Disabled:UDP:5016:TCP Port 5016
"{C9006BEB-8A69-4535-B01E-BAA39A2274F3}"= Disabled:UDP:5017:TCP Port 5017
"{0A116864-3742-4BC2-B1D2-18234BBAF7A0}"= Disabled:UDP:5018:TCP Port 5018
"{C255E763-43E0-4CF0-B906-D39F91A21F83}"= Disabled:UDP:5019:TCP Port 5019
"{6A837AFB-6DB7-4724-894A-BB0CB91DF096}"= Disabled:UDP:5020:TCP Port 5020
"{65D653C9-48E8-4886-9C02-702CAF5414EE}"= UDP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
"{9142BBA1-B9E5-486C-8204-99BC1572E4F4}"= TCP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
"{DB031FF2-12C9-4707-9D82-755FC0A6828B}"= Disabled:UDP:135:TCP Port 135
"{90A2F530-9355-4E7A-BE89-FAC5AE8703BC}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FB36A0EE-28F1-4EFC-B695-087F05EC821D}"= UDP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
"{1F4C11B6-9472-485C-A2AE-75E5573B1337}"= TCP:c:\windows\System32\lxcqcoms.exe:Lexmark Communications System
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"= c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2008-12-05 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264]
R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]
R2 VERSANTD;VERSANTD;c:\versant\7_0_1\bin\versantd.exe [2007-10-24 19456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [2006-12-06 7168]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
2009-03-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-RunOnce-Shockwave Updater - c:\windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1; .NET CLR 1.1.4322; .NET
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
mSearch Bar = hxxp://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/ymj/*IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: avenuegroup.ca\sbs
FF - ProfilePath - c:\users\Guido Rossi\AppData\Roaming\Mozilla\Firefox\Profiles\6lco5giy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US
fficialFF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", ".
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2009-03-24 07:57:46
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCQCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
Completion time: 2009-03-24 8:00:10
ComboFix-quarantined-files.txt 2009-03-24 12:00:08
Pre-Run: 64,353,193,984 bytes free
Post-Run: 65,010,286,592 bytes free
212 --- E O F --- 2008-08-06 07:04:11
AND HERE IS MY HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:27 AM, on 24/03/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 9300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetFxUpdate_v1.1.4322] "C:\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 1 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcq_device - - C:\Windows\system32\lxcqcoms.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VERSANTD - Unknown owner - C:\VERSANT\7_0_1\bin\versantd.exe
--
End of file - 7655 bytes
Did you look at the links provided above?
You HiJackThis log looks clean except for a couple of missing files:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
And one entry I'm not familiar with:
O23 - Service: VERSANTD - Unknown owner - C:\VERSANT\7_0_1\bin\versantd.exe
James P. Cottingham
I'm number 1,229!
I'm number 1,229!
You HiJackThis log looks clean except for a couple of missing files:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
And one entry I'm not familiar with:
O23 - Service: VERSANTD - Unknown owner - C:\VERSANT\7_0_1\bin\versantd.exe
James P. Cottingham
I'm number 1,229!
I'm number 1,229!
- Status
