Google hijacked by site 67.29.139.253(RESOLVED)

roger_g_d · #1 (**permalink**) 08-02-2009, 11:38 PM

Hi,
Intermittently, any search of the results of Google on IE / Mozilla / or Chrome is re-directing me to totally unconnected search engines and results. I have seen a site which I believe was 67.29.139.253 flashed up when the searches are being wrongly redirected.
My Hijackthis log follows, and any help would be very much appreciated.

Regards

Roger

ps. Only just put AdAware onto system to try and get rid of problem myself, but no success

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:32:41, on 08/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

BBC NEWS | News Front Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride =

*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910}

- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program

Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common

Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program

Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program

Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://appldnld.apple.com.edgesuite....qtactivex/qtpl

ugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6)

-

http://housecall65.trendmicro.com/ho...activex/hcImpl

.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -

http://dl8-cdn-01.sun.com/s/ESD5/JSC...-i586-jc.cab?e

=1234032964832&h=43e30adc61e4c4f1527599ad476b15e6/&filename=jinstall-6u11-windows-i586-

jc.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) -

http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode

Wireless G USB Network Adapter Service) - Unknown owner - C:\Program

Files\Belkin\F5D7051\WLService.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother

Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. -

C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program

Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program

Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program

Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero

BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program

Files\Eset\nod32krn.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program

Files\Photodex\ProShowProducer\ScsiAccess.exe

--
End of file - 9803 bytes

Uninstall ist is as follows:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
AC3Filter (remove only)
ACDSee Pro
Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Adobe Acrobat 4.0
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Master Collection
Adobe Creative Suite 4 Master Collection
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 8.1.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Soundbooth CS4 Codecs
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AnyDVD
Apple Mobile Device Support
Apple Software Update
Belkin High-Speed Mode Wireless G USB Network Adapter
BitLord 1.1
Brother MFL-Pro Suite
Canon S9000
CCleaner (remove only)
CDDRV_Installer
CloneCD
CloneDVD 3.9
Connect
Crystal Reports for .NET Framework 2.0 (x86)
Dfx for Adobe Photoshop
Dfx for Adobe Photoshop
DYMO Label Software
FLV Player 2.0, build 23
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImgBurn
IsoBuster 2.0
iTunes
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
KhalInstallWrapper
kuler
LightMachine 1.02
LightZone 3.0
LimeWire 4.17.0
Logitech SetPoint
LogMeIn
LogMeIn
Malwarebytes' Anti-Malware
Mazaika 3.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package - SE
Microsoft WSE 3.0 Runtime
MLDownloader
MobileMe Control Panel
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
MTPredictor6
Nero 8
neroxml
Nikon Scan
NOD32 antivirus system
NOD32 FiX v2.1
OT2009
PaperPort
PDF Settings CS4
Photodex Presenter
Photoshop Camera Raw
PowerDVD
ProShow Producer
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
SopCast 2.0.4
Suite Shared Configuration CS4
Topaz Simplify
TradeAdvisor
TradeGuider EOD
TVUPlayer 2.3.5.4
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VCRedistSetup
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
Xilisoft DVD Creator
XP Codec Pack

Neal · #2 (**permalink**) 10-02-2009, 01:27 AM

Real time monitoring programs can interfer with the cleanup of your computer. It is advisable that you temporarilly disable those programs before cleaning and then enable after the cleanup is completed.

Ad-Aware Ad-Watch

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off

3. Uncheck (red X) both items.

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

I need you to post a new log single spaced as it makes things easier to read:

To remove the double spacing in your log, please do the following:

Please go to Start >> Run... and type notepad.exe
Hit OK.
Now go to Format and uncheck WordWrap.
Close Notepad.
Then post a new HijackThis log.

roger_g_d · #3 (**permalink**) 11-02-2009, 10:58 PM

Hi Neal,

Thanks for taking up the problem. The only way I could stop NOD32 running, was to rename all the exe files in the program folder! Combofix STILL showed NOD32 to be running after a restart, but I can't see how. Hope it hasn't messed up the results you require. If necessary, I'll totally uninstall NOD32 & re-run Combofix. Let me know

Roger

ComboFix 09-02-10.01 - Roger 2009-02-10 20:26:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2703 [GMT 0:00]
Running from: c:\documents and settings\Roger\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxoyjkwoif.sys
c:\windows\system32\gaopdxirxtxbun.dll
c:\windows\system32\MSVCTSCP.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-09 23:04 . 2009-02-09 23:04 0 --a------ c:\windows\oodcnt.INI
2009-02-09 23:02 . 2009-02-09 23:03 <DIR> d-------- c:\windows\system32\oodag
2009-02-09 20:04 . 2009-02-09 20:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-09 20:03 . 2009-02-09 20:03 <DIR> d-------- c:\documents and settings\Administrator
2009-02-08 19:42 . 2009-02-08 22:01 <DIR> d-------- C:\fixwareout
2009-02-08 10:29 . 2009-02-08 10:29 <DIR> d-------- c:\program files\Trend Micro
2009-02-08 09:26 . 2009-02-08 09:58 <DIR> d-------- C:\bfu
2009-02-07 21:47 . 2009-02-07 22:47 <DIR> d-------- c:\documents and settings\Roger\DoctorWeb
2009-02-07 18:54 . 2009-02-08 12:34 <DIR> d-------- c:\documents and settings\Roger\.housecall6.6
2009-02-07 18:43 . 2009-01-18 21:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-07 18:18 . 2009-01-18 21:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-07 18:17 . 2009-02-07 18:17 <DIR> d-------- c:\program files\Lavasoft
2009-02-07 18:17 . 2009-02-07 18:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-07 18:17 . 2009-02-07 18:17 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-06 23:07 . 2009-02-06 23:07 <DIR> d-------- c:\program files\Belkin
2009-02-06 23:07 . 2005-01-19 11:01 1,396,831 --a------ c:\windows\system32\AegisE5.dll
2009-02-06 23:07 . 2003-10-13 15:30 94,208 --a------ c:\windows\system32\GTW32N50.dll
2009-02-06 23:07 . 2004-04-30 15:12 40,960 --a------ c:\windows\system32\F5D7051.dll
2009-02-06 23:07 . 2003-09-25 23:28 31,930 --a------ c:\windows\system32\GTNDIS3.VXD
2009-02-06 23:07 . 2004-03-30 16:57 29,184 --a------ c:\windows\system32\drivers\RNDISMPK.sys
2009-02-06 23:07 . 2009-02-06 23:07 17,801 --a------ c:\windows\system32\drivers\AegisP.sys
2009-02-06 23:07 . 2003-09-25 22:15 15,872 --a------ c:\windows\system32\GTNDIS5.sys
2009-02-06 23:07 . 2004-03-30 16:57 13,824 --a------ c:\windows\system32\drivers\usb8023k.sys
2009-02-06 13:23 . 2009-02-06 13:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 13:23 . 2009-02-06 13:23 <DIR> d-------- c:\documents and settings\Roger\Application Data\Malwarebytes
2009-02-06 13:23 . 2009-02-06 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-06 13:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-06 13:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-06 13:09 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-02-06 13:09 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-02-06 13:09 . 2008-04-13 19:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-06 13:09 . 2008-04-13 19:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-02-05 14:55 . 2009-02-05 15:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-24 16:20 . 2009-01-24 16:53 <DIR> d-------- c:\program files\Boilsoft MOV Converter
2009-01-21 18:12 . 2009-01-21 18:12 <DIR> d-------- c:\program files\Xilisoft
2009-01-19 23:43 . 2009-01-19 23:43 <DIR> d-------- c:\documents and settings\Roger\Application Data\AVS4YOU
2009-01-19 23:43 . 2009-01-19 23:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-01-19 23:40 . 2009-01-20 20:04 <DIR> d-------- c:\program files\Common Files\AVSMedia
2009-01-19 23:40 . 2009-01-20 20:04 <DIR> d-------- c:\program files\AVS4YOU
2009-01-19 23:40 . 2008-08-13 10:22 1,700,352 --a------ c:\windows\system32\GdiPlus.dll
2009-01-19 23:40 . 2008-08-13 10:22 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-01-18 22:38 . 2009-01-18 22:38 <DIR> d-------- c:\documents and settings\Roger\Application Data\Nero
2009-01-18 22:35 . 2009-01-18 22:37 <DIR> d-------- c:\program files\Common Files\Nero
2009-01-18 22:35 . 2009-01-18 22:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-01-18 22:01 . 2009-01-19 22:42 8 --ah----- c:\windows\system32\adb.dat
2009-01-18 20:12 . 2009-01-20 20:04 <DIR> d-------- c:\program files\AviSynth 2.5
2009-01-18 20:12 . 2009-01-18 20:12 <DIR> d-------- c:\program files\AC3Filter
2009-01-18 20:12 . 2007-08-18 07:54 380,928 --a------ c:\windows\system32\ac3filter.acm
2009-01-18 18:15 . 2009-01-18 18:15 <DIR> d-------- c:\documents and settings\Roger\Application Data\dvdcss
2009-01-18 16:49 . 2009-01-18 16:49 38 --a------ c:\windows\AviSplitter.INI
2009-01-18 16:48 . 2009-01-18 16:48 <DIR> d-------- c:\program files\XP Codec Pack
2009-01-18 16:48 . 2009-01-18 16:49 <DIR> d-------- c:\documents and settings\Roger\Application Data\Media Player Classic
2009-01-17 17:58 . 2008-12-31 06:55 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2009-01-17 17:58 . 2008-12-31 06:55 16,512 --a------ c:\windows\system32\drivers\ASPI32.SYS
2009-01-15 17:49 . 2009-01-15 17:49 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-14 22:08 . 2009-01-14 22:21 <DIR> d-------- c:\program files\Nirvana
2009-01-14 22:00 . 2009-01-14 22:07 73,728 --a------ c:\documents and settings\Roger\SetupNI.dll
2009-01-11 12:13 . 2009-01-11 12:13 <DIR> d-------- c:\program files\Microsoft WSE
2009-01-11 12:08 . 2009-01-11 12:08 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-11 12:08 . 2009-01-11 12:08 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-11 12:07 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-10 20:19 --------- d-----w c:\program files\ESET
2009-02-10 07:17 --------- d-----w c:\program files\LogMeIn
2009-02-05 12:14 --------- d-----w c:\program files\DYMO Label
2009-02-05 09:17 --------- d-----w c:\program files\MLDownloader
2009-01-25 16:55 --------- d-----w c:\program files\CloneDVD
2009-01-23 20:20 --------- d-----w c:\program files\TradeGuider
2009-01-19 20:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-18 22:35 --------- d-----w c:\program files\Nero
2009-01-18 22:14 --------- d-----w c:\documents and settings\Roger\Application Data\MailWasherPro
2009-01-17 17:40 --------- d-----w c:\program files\ElcomSoft
2009-01-14 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\Nirvana Systems
2009-01-14 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-11 12:08 --------- d-----w c:\program files\MSBuild
2009-01-06 22:37 --------- d-----w c:\program files\EOD Downloader
2008-12-30 17:58 --------- d-----w c:\program files\TradingSolutions 4.0
2008-12-30 08:55 --------- d-----w c:\program files\CCleaner
2008-12-30 08:25 --------- d-----w c:\program files\Common Files\Business Objects
2008-12-23 09:27 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-23 09:27 --------- d-----w c:\program files\Java
2008-12-14 19:19 --------- d-----w c:\program files\TeamViewer
2008-12-14 19:15 --------- d-----w c:\documents and settings\Roger\Application Data\TeamViewer
2008-12-14 12:40 --------- d-----w c:\program files\Common Files\Adobe
2008-12-13 15:48 --------- d-----w c:\program files\Adobe Media Player
2008-12-13 15:44 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-13 15:33 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 09:16 --------- d-----w c:\program files\Topaz Labs
2008-12-02 11:38 1,150,976 ----a-w c:\windows\system32\tlisimplify04_dll.dll
2008-11-30 17:20 3,520,000 ----a-w c:\windows\system32\tlisimplify04.dll
2008-11-19 09:28 1,839,104 ----a-w c:\windows\system32\tlisimplifyreg.exe
2008-03-01 16:47 7,775 ----a-w c:\program files\hijackthis.log
2008-03-01 16:46 401,720 ----a-w c:\program files\HiJackThis.exe
2008-10-08 20:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100820081 009\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" [2008-08-14 611712]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-01-31 789008]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-01-31 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-06-11 22:43 640376 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
--a------ 2008-06-12 02:25 37232 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 19:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-26 22:16 133104 c:\documents and settings\Roger\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-23 09:27 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-11-29 02:17 55824 c:\windows\KHALMNPR.Exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Roger\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager .exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-07 64160]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod3 2drv.sys [2008-07-23 15424]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sy s [2008-12-14 47640]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\i:\ntglm7x.sys --> i:\NTGLM7X.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{05b76e9e-eacd-11dc-8a0e-0019dbc6b51e}]
\Shell\AutoRun\command - L:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/news
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Roger\Application Data\Mozilla\Firefox\Profiles\s4w35dk4.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - plugin: c:\documents and settings\Roger\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\Roger\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dl l

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 20:30:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="61FAEEA589C33258 70338C8AE1ED38DC461C5C2B5C42630E0CE0E4BB06A0F0A641 F4F56987F0144DB03C1507B6DA53FE32484C348488340C342D B4293283381FA35A6384DA162A59988A972ECBC4387FD84442 4AAE52E2AF26E65ABDFC583AAE5FC581BBD06C6643735E786F F3D7069D1C11DFA5CF5C5ED2F6ED5418230D51EADE1B4DBA08 B1AF761E3AD09D534151BC6FEE7CE2B3E585F151675640B211 4B07207D740F7827E0018D64EDF064B422E35B67218279FEBC 9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E 127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC49 80AC7933A6A0AC4980AC7933A6171C11EC38DE3DC038D530D6 EB3452F844E2A4EA7BCDF1004F00B02FBB10B286CDF2016054 F4539781E25242A083FD113533B65847AE9C64956C61A5FD0C C1D3DDBB2C7E2098E0505877FD628E87D7DFA2C07AED67A446 0C552500560BC938F065E0FAFA6E5D1BD168A58603C06B883B 9F745A0AE1C0E0C04E0B0CDFA21F2CBA705DA3D65C855EA6AF 9C752554F95304B0D7D5CE7174B0D135221CA4BD4A0A9100CB EE56BFB45AE098B3670F99E14B9A531B7FA28298D0913190D5 CC86EA0FD8896FB9019E74139407658FC81534DAE3750F80AE 36E83057DE24F6C2D984CE77752C76A335335FDAD04E359EFD 683CCAFA2D916263830E7DCE4B4F364C81AF5A210929CCF2C2 ECCF3FB1B1A4C259833CB90F04EF126C01E1049B439923ACEC 6F5E36EBD2FAD6399411F4F3AC8343922B7D733A4C020B7468 76CACA255A3715ABEF03EA4C250B994E77207CD2934BA38A85 BD2BB122AAA376933773541F350A07126469967DD9B5A49A64 E2F07C7542560374E3A0997A22F73A5F5B64D39F83FBEE73BA 51C2A708C39191D1AB7BAE518C20C201D8418E565B3E67B8D9 0FD28C0A296C496068B862DE6C1E8766FE4383ADF4F6B760A6 5D7712E817D17B9C8D83B5553212EB17B4E627ACA3D5492D65 E33E9205CE828C439593F3D906D4F9F59A87FBC6266029AB0E D8C8602243DDAD4D4A7A0422CCE600905A92C0423459935A09 1B54ABEC2E0E242E2A36E7851F15EF5EA4AC1F916035A0E5E5 FE0E2DA2D31B4BA3285A08E9B0C6E72EAA36042FF9530CFB5F 4AE7D4EBCDB7086CFE186F068D617A3480E754CDEC4BA7E7AC F8839E4DE8DFA0BBA8D78EF5578305410E0E5F3463F68A7F88 9882DBA15D3C8460C42A8D8E22149D722E6D4ACED8E897EE81 F7656DE8E64CAB17CFB0368899867CCF26929B0B07AF27503A D2ACFC5C54DE804B4B9D0FA47054621B5ADAD6949052B40232 3155E7C56D6D0F6705D646614474BB6519A04488CA41AF9D63 6BE7952AB81093732F48452F6565366C42B3B8C97D8C8686C4 EB469B30B712A8DAF29B91D205368E3DE0AA9ACF1DC17E1153 6CDF6DE5D51219646F165FC6A18730B5"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\imon.dll
.
Completion time: 2009-02-10 20:32:14
ComboFix-quarantined-files.txt 2009-02-10 20:32:12

Pre-Run: 177,497,059,328 bytes free
Post-Run: 177,574,064,128 bytes free

261 --- E O F --- 2009-01-14 18:09:38

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52:05, on 10/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = BBC NEWS | News Front Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSC...ws-i586-jc.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe

--
End of file - 9755 bytes

Neal · #4 (**permalink**) 12-02-2009, 02:01 AM

Info on NOD32:

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Go to next site:
VirusTotal - Free Online Virus and Malware Scan
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\windows\system32\adb.dat

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

Online malware scan

And

Virus File Scanner

Do the same for this one please:

c:\windows\system32\tlisimplify04.dll

Update Java: Security Issue

* Go to Start > Control Panel double-click on the Software icon > add/remove programs.
* Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

It should have next icon next to it:

Select it and click Remove.
* The current version can be downloaded from Sun here: Java SE Downloads - Sun Developer Network (SDN) Scroll down the page to 'Java Runtime Environment (JRE) 6u11(or higher) and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.

roger_g_d · #5 (**permalink**) 12-02-2009, 09:13 PM

Hi Neal,

As requested the two results from the virus scan. I have also removed Java & reinstalled from the site recommended.

Regards

Roger

adb.bat:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.12 -
AhnLab-V3 5.0.0.2 2009.02.12 -
AntiVir 7.9.0.76 2009.02.12 -
Authentium 5.1.0.4 2009.02.12 -
Avast 4.8.1335.0 2009.02.12 -
AVG 8.0.0.229 2009.02.12 -
BitDefender 7.2 2009.02.12 -
CAT-QuickHeal 10.00 2009.02.11 -
ClamAV 0.94.1 2009.02.12 -
Comodo 975 2009.02.12 -
DrWeb 4.44.0.09170 2009.02.12 -
eSafe 7.0.17.0 2009.02.12 -
eTrust-Vet 31.6.6353 2009.02.12 -
F-Prot 4.4.4.56 2009.02.11 -
F-Secure 8.0.14470.0 2009.02.12 -
Fortinet 3.117.0.0 2009.02.12 -
GData 19 2009.02.12 -
Ikarus T3.1.1.45.0 2009.02.12 -
K7AntiVirus 7.10.628 2009.02.12 -
Kaspersky 7.0.0.125 2009.02.12 -
McAfee 5524 2009.02.12 -
McAfee+Artemis 5524 2009.02.12 -
Microsoft 1.4306 2009.02.12 -
NOD32 3849 2009.02.12 -
Norman 6.00.02 2009.02.12 -
nProtect 2009.1.8.0 2009.02.12 -
Panda 10.0.0.10 2009.02.12 -
PCTools 4.4.2.0 2009.02.12 -
Prevx1 V2 2009.02.12 -
Rising 21.16.32.00 2009.02.12 -
SecureWeb-Gateway 6.7.6 2009.02.12 -
Sophos 4.38.0 2009.02.12 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.12 -
TheHacker 6.3.1.9.254 2009.02.12 -
TrendMicro 8.700.0.1004 2009.02.12 -
VBA32 3.12.8.12 2009.02.11 -
ViRobot 2009.2.12.1603 2009.02.12 -
VirusBuster 4.5.11.0 2009.02.12 -
Additional information
File size: 8 bytes
MD5...: d632421b7367834b32dbe87ad0993b2c
SHA1..: c327370c766131d274df41f6021192cd00a0b104
SHA256: 7b2ed67587fcbc411fcb4b71b1cef1ef6cd9edf948148414cf 5f0ab21362b9aa
SHA512: 77258b426e43a7bd566dfd5b7e3e585fbfc1c86db7ddc428b9 eb73529e04bd43
c29774b0dafdb0952a76c7476d3739109f636c04ae8d75bf69 09efc8f6ea00c8

ssdeep: 3:/lM:y

PEiD..: -
TrID..: File type identification
MS Flight Simulator Aircraft Performance Info (100.0%)
PEInfo: -

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

tlisimplify04.dll

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.12 -
AhnLab-V3 5.0.0.2 2009.02.12 -
AntiVir 7.9.0.76 2009.02.12 -
Authentium 5.1.0.4 2009.02.12 -
Avast 4.8.1335.0 2009.02.12 -
AVG 8.0.0.229 2009.02.12 -
BitDefender 7.2 2009.02.12 -
CAT-QuickHeal 10.00 2009.02.11 -
ClamAV 0.94.1 2009.02.12 -
Comodo 975 2009.02.12 -
DrWeb 4.44.0.09170 2009.02.12 -
eSafe 7.0.17.0 2009.02.12 -
eTrust-Vet 31.6.6353 2009.02.12 -
F-Prot 4.4.4.56 2009.02.11 -
F-Secure 8.0.14470.0 2009.02.12 -
Fortinet 3.117.0.0 2009.02.12 -
GData 19 2009.02.12 -
Ikarus T3.1.1.45.0 2009.02.12 -
K7AntiVirus 7.10.628 2009.02.12 -
Kaspersky 7.0.0.125 2009.02.12 -
McAfee 5524 2009.02.12 -
McAfee+Artemis 5524 2009.02.12 -
Microsoft 1.4306 2009.02.12 -
NOD32 3849 2009.02.12 -
Norman 6.00.02 2009.02.12 -
nProtect 2009.1.8.0 2009.02.12 -
Panda 10.0.0.10 2009.02.12 -
PCTools 4.4.2.0 2009.02.12 -
Prevx1 V2 2009.02.12 -
Rising 21.16.32.00 2009.02.12 -
SecureWeb-Gateway 6.7.6 2009.02.12 -
Sophos 4.38.0 2009.02.12 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.12 -
TheHacker 6.3.1.9.254 2009.02.12 -
TrendMicro 8.700.0.1004 2009.02.12 -
VBA32 3.12.8.12 2009.02.11 -
ViRobot 2009.2.12.1603 2009.02.12 -
VirusBuster 4.5.11.0 2009.02.12 -
Additional information
File size: 3520000 bytes
MD5...: 9a273633d1a183ada1c5bdb9f5bc1f1b
SHA1..: d6bd39edeb8c1ffa79b3e4cc04593644c93b2e36
SHA256: 9fc3935c65f1a8297f1958a333f411479c3e3e08e115417ae9 f85e9846a6ee94
SHA512: 016a7f236c3233209cc70b5196e2035c6501dcef5979ceec4f cf1d1903af2f43
ddc81519029a6bec07caaf700ab3f765c94b3d02ec0dc9c11c 7e779489be24a9

ssdeep: 98304:JI7EMr0l/vRdFvqYqO7WwIvdByd6DBmmhjWF5ogCFj:4EjqYqO7WwIvdBy

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3a4c0
timedatestamp.....: 0x49331fd2 (Sun Nov 30 23:20:50 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x32d712 0x32d800 6.43 af297ed722ec9176c135270fc75ad70e
.text1 0x32f000 0xe0 0x200 2.97 6523de81ff8d81934cb99a9b38881fcb
.rdata 0x330000 0xe0cf 0xe200 5.90 5ef2330772098c38b3e2d524dfc96d94
.data 0x33f000 0x13cf8 0x11a00 5.67 9f8adde9f63a4a2d8368c5e8c0ed7e7e
.data1 0x353000 0x688 0x800 2.63 bbffaf9dca62ac2240ff1e2cc261fae9
.trace 0x354000 0x1898 0x1a00 6.05 22241f9666e41630c6b3eaf0272c5291
.rsrc 0x356000 0xb0 0x200 4.12 bf36186b3998810f98d59f4eac0bb8a3
.reloc 0x357000 0xb63c 0xb800 4.82 46d84eea52528db3278621d099b257b0

( 2 imports )
> libiomp5md.dll: -, -, -, -, -, -, -, -, -
> KERNEL32.dll: HeapDestroy, GetThreadLocale, FormatMessageA, ReadFile, GetProcessHeap, SetEndOfFile, RtlUnwind, RaiseException, GetCurrentThreadId, GetCommandLineA, HeapAlloc, GetLastError, HeapReAlloc, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleHandleA, Sleep, ExitProcess, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, CloseHandle, GetConsoleCP, GetConsoleMode, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, LoadLibraryA, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, CreateFileA, SetStdHandle, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

( 3 exports )
setDebugTrace, tlSetupLib, tlSimplifyRGB

ATTENTION

roger_g_d · #6 (**permalink**) 12-02-2009, 09:18 PM

Hi Neal,

I have run the virus scan as requested and posted the results below. I have also unistalled the Java programs/updates and re-installed a download directly from the Java site.

Regards

Roger

============================================

tlisimplify04.dll

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.12 -
AhnLab-V3 5.0.0.2 2009.02.12 -
AntiVir 7.9.0.76 2009.02.12 -
Authentium 5.1.0.4 2009.02.12 -
Avast 4.8.1335.0 2009.02.12 -
AVG 8.0.0.229 2009.02.12 -
BitDefender 7.2 2009.02.12 -
CAT-QuickHeal 10.00 2009.02.11 -
ClamAV 0.94.1 2009.02.12 -
Comodo 975 2009.02.12 -
DrWeb 4.44.0.09170 2009.02.12 -
eSafe 7.0.17.0 2009.02.12 -
eTrust-Vet 31.6.6353 2009.02.12 -
F-Prot 4.4.4.56 2009.02.11 -
F-Secure 8.0.14470.0 2009.02.12 -
Fortinet 3.117.0.0 2009.02.12 -
GData 19 2009.02.12 -
Ikarus T3.1.1.45.0 2009.02.12 -
K7AntiVirus 7.10.628 2009.02.12 -
Kaspersky 7.0.0.125 2009.02.12 -
McAfee 5524 2009.02.12 -
McAfee+Artemis 5524 2009.02.12 -
Microsoft 1.4306 2009.02.12 -
NOD32 3849 2009.02.12 -
Norman 6.00.02 2009.02.12 -
nProtect 2009.1.8.0 2009.02.12 -
Panda 10.0.0.10 2009.02.12 -
PCTools 4.4.2.0 2009.02.12 -
Prevx1 V2 2009.02.12 -
Rising 21.16.32.00 2009.02.12 -
SecureWeb-Gateway 6.7.6 2009.02.12 -
Sophos 4.38.0 2009.02.12 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.12 -
TheHacker 6.3.1.9.254 2009.02.12 -
TrendMicro 8.700.0.1004 2009.02.12 -
VBA32 3.12.8.12 2009.02.11 -
ViRobot 2009.2.12.1603 2009.02.12 -
VirusBuster 4.5.11.0 2009.02.12 -
Additional information
File size: 3520000 bytes
MD5...: 9a273633d1a183ada1c5bdb9f5bc1f1b
SHA1..: d6bd39edeb8c1ffa79b3e4cc04593644c93b2e36
SHA256: 9fc3935c65f1a8297f1958a333f411479c3e3e08e115417ae9 f85e9846a6ee94
SHA512: 016a7f236c3233209cc70b5196e2035c6501dcef5979ceec4f cf1d1903af2f43
ddc81519029a6bec07caaf700ab3f765c94b3d02ec0dc9c11c 7e779489be24a9

ssdeep: 98304:JI7EMr0l/vRdFvqYqO7WwIvdByd6DBmmhjWF5ogCFj:4EjqYqO7WwIvdBy

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3a4c0
timedatestamp.....: 0x49331fd2 (Sun Nov 30 23:20:50 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x32d712 0x32d800 6.43 af297ed722ec9176c135270fc75ad70e
.text1 0x32f000 0xe0 0x200 2.97 6523de81ff8d81934cb99a9b38881fcb
.rdata 0x330000 0xe0cf 0xe200 5.90 5ef2330772098c38b3e2d524dfc96d94
.data 0x33f000 0x13cf8 0x11a00 5.67 9f8adde9f63a4a2d8368c5e8c0ed7e7e
.data1 0x353000 0x688 0x800 2.63 bbffaf9dca62ac2240ff1e2cc261fae9
.trace 0x354000 0x1898 0x1a00 6.05 22241f9666e41630c6b3eaf0272c5291
.rsrc 0x356000 0xb0 0x200 4.12 bf36186b3998810f98d59f4eac0bb8a3
.reloc 0x357000 0xb63c 0xb800 4.82 46d84eea52528db3278621d099b257b0

( 2 imports )
> libiomp5md.dll: -, -, -, -, -, -, -, -, -
> KERNEL32.dll: HeapDestroy, GetThreadLocale, FormatMessageA, ReadFile, GetProcessHeap, SetEndOfFile, RtlUnwind, RaiseException, GetCurrentThreadId, GetCommandLineA, HeapAlloc, GetLastError, HeapReAlloc, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleHandleA, Sleep, ExitProcess, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, CloseHandle, GetConsoleCP, GetConsoleMode, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, LoadLibraryA, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, CreateFileA, SetStdHandle, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

( 3 exports )
setDebugTrace, tlSetupLib, tlSimplifyRGB

ATTENTION
==================================================
adb.bat

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.12 -
AhnLab-V3 5.0.0.2 2009.02.12 -
AntiVir 7.9.0.76 2009.02.12 -
Authentium 5.1.0.4 2009.02.12 -
Avast 4.8.1335.0 2009.02.12 -
AVG 8.0.0.229 2009.02.12 -
BitDefender 7.2 2009.02.12 -
CAT-QuickHeal 10.00 2009.02.11 -
ClamAV 0.94.1 2009.02.12 -
Comodo 975 2009.02.12 -
DrWeb 4.44.0.09170 2009.02.12 -
eSafe 7.0.17.0 2009.02.12 -
eTrust-Vet 31.6.6353 2009.02.12 -
F-Prot 4.4.4.56 2009.02.11 -
F-Secure 8.0.14470.0 2009.02.12 -
Fortinet 3.117.0.0 2009.02.12 -
GData 19 2009.02.12 -
Ikarus T3.1.1.45.0 2009.02.12 -
K7AntiVirus 7.10.628 2009.02.12 -
Kaspersky 7.0.0.125 2009.02.12 -
McAfee 5524 2009.02.12 -
McAfee+Artemis 5524 2009.02.12 -
Microsoft 1.4306 2009.02.12 -
NOD32 3849 2009.02.12 -
Norman 6.00.02 2009.02.12 -
nProtect 2009.1.8.0 2009.02.12 -
Panda 10.0.0.10 2009.02.12 -
PCTools 4.4.2.0 2009.02.12 -
Prevx1 V2 2009.02.12 -
Rising 21.16.32.00 2009.02.12 -
SecureWeb-Gateway 6.7.6 2009.02.12 -
Sophos 4.38.0 2009.02.12 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.12 -
TheHacker 6.3.1.9.254 2009.02.12 -
TrendMicro 8.700.0.1004 2009.02.12 -
VBA32 3.12.8.12 2009.02.11 -
ViRobot 2009.2.12.1603 2009.02.12 -
VirusBuster 4.5.11.0 2009.02.12 -
Additional information
File size: 8 bytes
MD5...: d632421b7367834b32dbe87ad0993b2c
SHA1..: c327370c766131d274df41f6021192cd00a0b104
SHA256: 7b2ed67587fcbc411fcb4b71b1cef1ef6cd9edf948148414cf 5f0ab21362b9aa
SHA512: 77258b426e43a7bd566dfd5b7e3e585fbfc1c86db7ddc428b9 eb73529e04bd43
c29774b0dafdb0952a76c7476d3739109f636c04ae8d75bf69 09efc8f6ea00c8

ssdeep: 3:/lM:y

PEiD..: -
TrID..: File type identification
MS Flight Simulator Aircraft Performance Info (100.0%)
PEInfo: -

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Neal · #7 (**permalink**) 16-02-2009, 01:10 AM

files are clean, so what is going on now?

roger_g_d · #8 (**permalink**) 16-02-2009, 10:07 PM

Hi Neal,

All seems to be OK since I ran the Combofix software & re-installed Java.

Many thanks for your help..
regards

Roger

Neal · #9 (**permalink**) 16-02-2009, 10:20 PM

Great news,

If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. Also keep SpybotS&D updated.

Read This First - IMPORTANT Instructions - D-A-L Computer Help

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: McAfee Threat Center

Explained Here
Microsoft ME:
Disabling or enabling Windows Me System Restore

Please download ATF Cleaner by Atribune to desktop.
http://www.atribune.org/public-beta/ATF-Cleaner.exe

Double-click ATF-Cleaner.exe to run the program, to clean junk files off your PC.

If you would like to keep your cookies don't check that item

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including Avira and Avast and PCTools.
AVIRA: http://www.free-av.com/]Avira

AVAST: FREE antivirus software with spyware protection: avast! Home Edition

PCTOOLS: PC Tools AntiVirus - Free Anti Virus Download and Removal

3. In addtion to using SpyBot S&D consider using another free malware scanning/removal program:
Windows Defender: http://www.microsoft.com/athome/secu...e/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio: Personal Firewall by Sunbelt Software - Full Version & FREE Firewall - Kerio

Comodo:Free Firewall Antivirus Software Download by Comodo

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using Spyware Blaster:
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

SpywareBlaster | Prevent spyware and malware. Free download.

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: SpywareBlaster Custom Blocking List

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free