Searchengine hijack(google search link opening unrelated websites)

[hvashishtha]

I read your blog at http://miekiemoes.blogspot.com/2008/10/f...ngine.html and came to this website. I am facing the problem where my search engine is hijacked. When I search for something in google and click on the links provided, instead of opening the website listed in search result it opens a totally different website(most of the time some junk website). As per your blog I search for sysaudio.sys and wdmaud.sys and below is the location of these two files.

sysaudio.sys C:\WINDOWS\system32\drivers
wdmaud.sys C:\WINDOWS\system32\drivers

I have tried Malwarebytes, spybot - search and destroy and none of them fixed this problem. I have tried tdskiller also and that did not find any threat, below is the content of the tdskiller log file.

2011/05/21 01:21:24.0093 4376 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/21 01:21:24.0656 4376 ================================================================================
2011/05/21 01:21:24.0656 4376 SystemInfo:
2011/05/21 01:21:24.0656 4376
2011/05/21 01:21:24.0656 4376 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/21 01:21:24.0656 4376 Product type: Workstation
2011/05/21 01:21:24.0656 4376 ComputerName: CSCUSAAE657934
2011/05/21 01:21:24.0656 4376 UserName: hvashishtha
2011/05/21 01:21:24.0656 4376 Windows directory: C:\WINDOWS
2011/05/21 01:21:24.0656 4376 System windows directory: C:\WINDOWS
2011/05/21 01:21:24.0656 4376 Processor architecture: Intel x86
2011/05/21 01:21:24.0656 4376 Number of processors: 2
2011/05/21 01:21:24.0656 4376 Page size: 0x1000
2011/05/21 01:21:24.0656 4376 Boot type: Normal boot
2011/05/21 01:21:24.0656 4376 ================================================================================
2011/05/21 01:21:24.0937 4376 Initialize success
2011/05/21 01:22:21.0906 8100 ================================================================================
2011/05/21 01:22:21.0906 8100 Scan started
2011/05/21 01:22:21.0906 8100 Mode: Manual;
2011/05/21 01:22:21.0906 8100 ================================================================================
2011/05/21 01:22:24.0984 8100 ================================================================================
2011/05/21 01:22:24.0984 8100 Scan finished
2011/05/21 01:22:24.0984 8100 ================================================================================
2011/05/21 01:22:40.0968 7180 ================================================================================
2011/05/21 01:22:40.0968 7180 Scan started
2011/05/21 01:22:40.0968 7180 Mode: Manual;
2011/05/21 01:22:40.0968 7180 ================================================================================
2011/05/21 01:22:43.0953 7180 ================================================================================
2011/05/21 01:22:43.0953 7180 Scan finished
2011/05/21 01:22:43.0953 7180 ================================================================================
2011/05/21 01:22:58.0375 7660 Deinitialize success


I am providing the result of HijackThis scan below. Please help me you are my last hope -

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:01:37 AM, on 5/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\program files\cscmarimba\tuner\Tuner.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\IBM\Lotus\Notes\ntmulti.exe
C:\Program Files\1E\NightWatchman50\NwmSvc.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtcmd.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
c:\sysmgt\sdprimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Documents and Settings\hvashishtha\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\1E\NightWatchman50\NWMCLI.EXE
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.59\data\sum.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\cscmarimba\tuner\lib\minituner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bastion2.us.dnb.com:8080
O1 - Hosts: 172.27.1.31 pdioracleapp.powerdesigninc.us PDIORACLEAPP
O1 - Hosts: 172.27.1.32 pdioracledb.powerdesigninc.us PDIORACLEDB
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SupportSoft_AMER_CSCi] "C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtcmd.exe" /P SupportSoft_AMER_CSCi
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Swazabejuy] rundll32.exe "C:\WINDOWS\sp71032.dll",Startup
O4 - HKCU\..\Run: [Advanced SystemCare 4] "C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\hvashishtha\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with XmlPad - res://C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll/101
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
O15 - Trusted Zone: http://hp205.us.dnb.com
O15 - Trusted Zone: http://dcvworappdev.powerdesigninc.us
O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://remote.surgery-partners.com/XTSAC.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://amer-ml35.amer.csc.com/dwa8W.cab
O16 - DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} (VMware Remote Console Plug-in 2.5.0.00000) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) - http://hp205.us.dnb.com:8030/OA_HTML/oaj2se.exe
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - http://10.1.9.80:8080/vminet_images/vmi660ie.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T27L/...eatgpc.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://www.mybizportal.net/dana-cached/...Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.globalcsc.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.globalcsc.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.globalcsc.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = amer.globalcsc.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: cscmarimba - BMC Software, Inc. - C:\program files\cscmarimba\tuner\Tuner.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\CSC VPN Client\Extranet_serv.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\IBM\Lotus\Notes\ntmulti.exe
O23 - Service: NightWatchman50 - 1E - C:\Program Files\1E\NightWatchman50\NwmSvc.exe
O23 - Service: OracleForm_Report_6iClientCache80 - Unknown owner - C:\oracle\Form_Report_6i\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SD Primer Agent (SDPrimer) - Computer Associates - c:\sysmgt\sdprimer.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (supportsoft_amer_csci) (sprtsvc_supportsoft_amer_csci) - SupportSoft, Inc. - C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (supportsoft_amer_csci) (tgsrvc_supportsoft_amer_csci) - SupportSoft, Inc. - C:\Program Files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VMware Host Agent (VMwareHostd) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-hostd.exe
O23 - Service: VMware Server Web Access (VMwareServerWebAccess) - Apache Software Foundation - C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
O23 - Service: VMware VSS Writer (vmwriter) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmVssWriter.exe

--
End of file - 19634 bytes




Below is the result of Norman TDSS Cleaner

Norman TDSS Cleaner
Version 2.0.2
Copyright © 1990 - 2010, Norman ASA. Built 2010/11/12 05:32:24

Scan started: 2011/05/21 01:37:29

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: CSCUSAAE657934\hvashishtha


Scanning kernel...

Scan complete

[miekiemoes]

Hi,

You're not dealing with the "sysaudio" variant as that variant is already dead for ages.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

Then, please scan with Malwarebytes again, but make sure you use the latest version. Let it remove everything it found. Then post the log from Malwarebytes in your next post.

Also, after running Malwarebytes, Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt only in your next reply.

[hvashishtha]

Thanks for your quick reply(I was not expecting anything soon as it was weekend). Please find below the Malware byte log file text.

Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Database version: 6641

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/22/2011 3:05:24 PM
mbam-log-2011-05-22 (15-05-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 439209
Time elapsed: 1 hour(s), 47 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Please find below the text of DDS.txt -
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by hvashishtha at 19:22:35 on 2011-05-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.1953 [GMT -5:00]
.
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\program files\cscmarimba\tuner\Tuner.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\IBM\Lotus\Notes\ntmulti.exe
C:\Program Files\1E\NightWatchman50\NwmSvc.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\sysmgt\sdprimer.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\1E\NightWatchman50\NWMCLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Documents and Settings\hvashishtha\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.59\data\sum.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\program files\cscmarimba\tuner\lib\jre\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\hvashishtha\My Documents\Downloads\dds.scr
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = bastion2.us.dnb.com:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Swazabejuy] rundll32.exe "c:\windows\sp71032.dll",Startup
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SupportSoft_AMER_CSCi] "c:\program files\supportsoft_amer_csci\bin\sprtcmd.exe" /P SupportSoft_AMER_CSCi
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hvashi~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\hvashishtha\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{1ce60928-8325-49a8-8b06-633e48dd2b67}\Icon3E5562ED7.ico
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with XmlPad - c:\program files\wmhelp software\wmhelp xmlpad\WmhASPP.dll/101
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware server\vsocklib.dll
Trusted Zone: cscusaae657934
Trusted Zone: dnb.com\hp205.us
Trusted Zone: powerdesigninc.us\dcvworappdev
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://remote.surgery-partners.com/XTSAC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://amer-ml35.amer.csc.com/dwa8W.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://hp205.us.dnb.com:8030/OA_HTML/oaj2se.exe
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} - hxxp://10.1.9.80:8080/vminet_images/vmi660ie.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://www.mybizportal.net/dana-cached/sc/JuniperSetupClient.cab
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~1\RNetPin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - c:\program files\wmhelp software\wmhelp xmlpad\WmhASPP.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {6D41A1F6-0687-4EFF-A47A-0BA7C5D7A5AE} - msiexec /fpu {6D41A1F6-0687-4EFF-A47A-0BA7C5D7A5AE} /quiet
mASetup: {8C6E96B4-89FE-4C23-A1FF-0E46960ED40C} - msiexec /fu {8C6E96B4-89FE-4C23-A1FF-0E46960ED40C} /q
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4
mASetup: {F88A5DAF-F376-4C6F-898A-FF57E45A340E} - msiexec.exe /fu {F88A5DAF-F376-4C6F-898A-FF57E45A340E} /quiet
mASetup: ADBFIX - c:\program files\patches\stub\ADB_Stub.EXE
Hosts: 127.0.0.1 http://www.spywareinfo.com
Hosts: 10.205.10.85 devoracleapp.stratixcorp.com devoracleapp
Hosts: 10.205.10.84 devoracledb.stratixcorp.com devoracledb
Hosts: 10.44.1.29 lcgdbvm01.luciditycg.com lcgdbvm01
Hosts: 10.44.22.11 stctestas01.luciditycg.com stctestas01
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hvashishtha\application data\mozilla\firefox\profiles\s33z3seg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.ftp - bastion2.us.dnb.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - bastion2.us.dnb.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - bastion2.us.dnb.com
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - bastion2.us.dnb.com
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-10-22 344712]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2008-6-19 222016]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-5-5 13496]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-4-26 352656]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-26 1676536]
R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2007-4-25 36960]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-26 98304]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2010-6-15 1498224]
R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2010-10-26 35696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-8-25 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-10-15 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-8-25 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-8-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-26 69192]
R2 NightWatchman50;NightWatchman50;c:\program files\1e\nightwatchman50\NwmSvc.exe [2009-5-27 1000728]
R2 NwmSleepless;NwmSleepless;c:\windows\system32\drivers\NwmSleepless.sys [2010-3-25 42488]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2008-6-19 612928]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2008-6-19 145984]
R2 SDPrimer;SD Primer Agent;c:\sysmgt\sdprimer.exe [2009-10-22 139264]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-10-23 1213728]
R2 sprtsvc_supportsoft_amer_csci;SupportSoft Sprocket Service (supportsoft_amer_csci);c:\program files\supportsoft_amer_csci\bin\sprtsvc.exe [2008-10-23 202016]
R2 tgsrvc_supportsoft_amer_csci;SupportSoft Repair Service (supportsoft_amer_csci);c:\program files\supportsoft_amer_csci\bin\tgsrvc.exe [2008-10-23 148768]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-1-27 2058776]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-12 54960]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-10-22 482176]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-10-22 243856]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2010-1-27 26137]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2010-10-26 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2010-10-26 107960]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2010-10-26 38680]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2010-10-26 35552]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-22 91896]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-8 136176]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-26 106496]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\csc vpn client\Extranet_serv.exe [2010-1-27 835584]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-10-26 118784]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2010-10-26 44680]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-8 136176]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2010-1-27 155152]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-22 43192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-26 66536]
S3 OracleForm_Report_6iClientCache80;OracleForm_Report_6iClientCache80;c:\oracle\form_report_6i\bin\ONR​SD80.EXE [2011-2-23 101136]
S3 VMwareHostd;VMware Host Agent;c:\program files\vmware\vmware server\vmware-hostd.exe [2008-10-12 322096]
S3 VMwareServerWebAccess;VMware Server Web Access;c:\program files\vmware\vmware server\tomcat\bin\tomcat6.exe [2008-10-12 57344]
S3 vmwriter;VMware VSS Writer;c:\program files\vmware\vmware server\vmVssWriter.exe [2008-10-12 29744]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
UnknownUnknown dsload;dsload; [x]
.
=============== File Associations ===============
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-05-22 14:21:43 40328 ----a-w- c:\windows\system32\HIPIS0e011b5.dll
2011-05-22 04:31:48 -------- d-----w- c:\documents and settings\hvashishtha\application data\com.Shutterfly.ExpressUploader
2011-05-22 04:31:36 -------- d-----w- c:\program files\Shutterfly
2011-05-20 17:00:24 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{5dee5459-a330-470d-b730-35084f27aebd}\mpengine.dll
2011-05-10 19:16:27 388096 ----a-r- c:\documents and settings\hvashishtha\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-10 19:16:27 -------- d-----w- c:\program files\Trend Micro
2011-05-05 15:52:16 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-05-05 15:52:16 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-05-05 00:17:00 -------- d-s---w- C:\ComboFix
2011-05-04 21:32:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-04 21:32:50 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-05-04 17:30:47 -------- dc-h--w- c:\windows\ie8
2011-04-28 22:02:49 173362 ----a-w- C:\Run_Intelliboot.exe
2011-04-28 22:02:24 -------- d-----w- c:\windows\system32\GroupPolicy_Backup-2011428-17224
2011-04-27 03:07:11 -------- d-----w- c:\program files\Ingram Media Manager
2011-04-25 19:45:23 -------- d-----w- c:\documents and settings\hvashishtha\application data\TrueCrypt
2011-04-25 19:44:48 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2011-04-25 19:44:45 -------- d-----w- c:\program files\TrueCrypt
2011-04-25 16:39:40 -------- d-----w- c:\documents and settings\hvashishtha\application data\AVG10
2011-04-25 16:35:36 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-04-25 16:35:04 -------- d-----w- c:\program files\AVG
2011-04-25 16:35:04 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-04-25 16:27:49 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-05-09 03:36:08 136512 ----a-w- c:\windows\system32\KevlarSigs.dll
2011-05-04 13:26:49 0 ----a-w- c:\windows\Mlikeciqusoletun.bin
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-27 20:02:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-27 20:02:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-04 23:00:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-13 21:11:53 226656 ------w- c:\program files\cnsload_1279055513875.tmp
2010-05-17 18:46:19 226656 ------w- c:\program files\cnsload_1274121979468.tmp
.
============= FINISH: 19:28:34.23 ===============

(21-05-2011 21:18)miekiemoes schreef:  Hi,

You're not dealing with the "sysaudio" variant as that variant is already dead for ages.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

Then, please scan with Malwarebytes again, but make sure you use the latest version. Let it remove everything it found. Then post the log from Malwarebytes in your next post.

Also, after running Malwarebytes, Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt only in your next reply.

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix...e-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[hvashishtha]

Hi,
Thanks again for your quick reply. Looks like I need Full Admin rights to use Combofix. Though looks like I have some admin rights as I can install programs and many other activities. I am not able to disable Mcafee as I am not allowed to do so(not having full admin rights). Even when I continued without disabling Mcafee, Combofix could not install "Micorosoft Windows Recovery console".

For some reason I can not contact my company and ask for any help(be it malware removal or Admin account access). Not sure if I should proceed further or not with combofix. I can totally understand that you may not be able to help me here in these conditions and I truly appreciate your time and help so far.

Please let me know even after these restrictions I have any chance of getting this problem fixed.

Regards
Hitesh

(23-05-2011 06:56)miekiemoes schreef:  Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix...e-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[miekiemoes]

Hi,

Please try to run Combofix from Windows safe mode.

[hvashishtha]

Below is the log.txt content after Combofix run -

ComboFix 11-05-22.01 - hvashishtha 05/23/2011 9:24.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2568 [GMT -5:00]
Running from: c:\documents and settings\hvashishtha\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *Disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\hvashishtha\g2mdlhlpx.exe
c:\documents and settings\hvashishtha\Local Settings\Application Data\{0335E764-1E18-4C7F-83FA-CB2AE13CD4E7}
c:\documents and settings\hvashishtha\Local Settings\Application Data\{0335E764-1E18-4C7F-83FA-CB2AE13CD4E7}\chrome.manifest
c:\documents and settings\hvashishtha\Local Settings\Application Data\{0335E764-1E18-4C7F-83FA-CB2AE13CD4E7}\chrome\content\_cfg.js
c:\documents and settings\hvashishtha\Local Settings\Application Data\{0335E764-1E18-4C7F-83FA-CB2AE13CD4E7}\chrome\content\overlay.xul
c:\documents and settings\hvashishtha\Local Settings\Application Data\{0335E764-1E18-4C7F-83FA-CB2AE13CD4E7}\install.rdf
c:\documents and settings\hvashishtha\WINDOWS
c:\program files\cnsload_1274121979468.tmp
c:\program files\cnsload_1279055513875.tmp
c:\sysmgt\sdprimer.exe
c:\windows\system32\instsrv.exe
c:\windows\system32\Thumbs.db
.
----- File Replicators -----
.
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.10\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.11\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.12\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.13\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.14\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.15\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.16\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.17\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.18\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.2\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.20\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.21\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.23\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.24\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.25\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.26\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.27\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.28\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.29\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.3\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.30\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.31\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.32\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.34\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.35\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.36\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.37\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.38\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.39\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.4\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.40\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.41\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.42\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.44\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.45\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.46\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.47\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.48\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.49\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.50\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.51\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.52\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.53\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.55\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.58\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.6\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.60\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.61\data\RenameLk.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.9\data\RenameLk.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SDPRIMER
-------\Service_SDPrimer
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 14:33 . 2010-01-26 21:56 40328 ----a-w- c:\windows\system32\HIPIS0e011b5.dll
2011-05-22 04:31 . 2011-05-22 04:31 -------- d-----w- c:\documents and settings\hvashishtha\Application Data\com.Shutterfly.ExpressUploader
2011-05-22 04:31 . 2011-05-22 04:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-05-22 04:31 . 2011-05-22 04:31 -------- d-----w- c:\program files\Shutterfly
2011-05-20 17:00 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{5DEE5459-A330-470D-B730-35084F27AEBD}\mpengine.dll
2011-05-10 19:16 . 2011-05-10 19:16 388096 ----a-r- c:\documents and settings\hvashishtha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-10 19:16 . 2011-05-10 19:16 -------- d-----w- c:\program files\Trend Micro
2011-05-05 15:52 . 2011-02-23 22:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-05-05 15:52 . 2011-02-23 21:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-05-04 21:32 . 2011-05-22 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-05-04 21:32 . 2011-05-04 21:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-04 17:30 . 2011-05-04 17:32 -------- dc-h--w- c:\windows\ie8
2011-05-04 17:25 . 2011-05-04 17:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-04-28 22:02 . 2011-03-30 20:16 173362 ----a-w- C:\Run_Intelliboot.exe
2011-04-28 22:02 . 2011-04-28 22:02 -------- d-----w- c:\windows\system32\GroupPolicy_Backup-2011428-17224
2011-04-27 03:07 . 2011-04-27 03:07 -------- d-----w- c:\program files\Ingram Media Manager
2011-04-26 17:10 . 2011-04-26 17:10 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-25 19:45 . 2011-04-25 19:46 -------- d-----w- c:\documents and settings\hvashishtha\Application Data\TrueCrypt
2011-04-25 19:44 . 2011-04-25 19:44 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2011-04-25 19:44 . 2011-04-25 19:44 -------- d-----w- c:\program files\TrueCrypt
2011-04-25 16:39 . 2011-04-25 16:39 -------- d-----w- c:\documents and settings\hvashishtha\Application Data\AVG10
2011-04-25 16:35 . 2011-04-25 16:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-04-25 16:35 . 2011-05-04 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-04-25 16:35 . 2011-04-25 16:35 -------- d-----w- c:\program files\AVG
2011-04-25 16:27 . 2011-05-04 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-09 03:36 . 2010-10-26 16:17 136512 ----a-w- c:\windows\system32\KevlarSigs.dll
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-11 07:04 . 2011-03-01 17:31 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-27 20:02 . 2011-03-27 20:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-27 20:02 . 2010-05-11 21:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-04 23:00 . 2006-07-11 23:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-30 02:56 . 2010-06-30 02:56 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-06-30 02:57 . 2010-06-30 02:57 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-06-30 03:02 . 2010-06-30 03:03 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-06-30 03:03 . 2010-06-30 03:03 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-04-14 16:26 . 2011-05-05 13:28 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-08-26 02:07 . 2010-10-26 16:02 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Dr​opboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\hvashishtha\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Dr​opboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\hvashishtha\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Dr​opboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\hvashishtha\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Dr​opboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\hvashishtha\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-04-21 402832]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"TpShocks"="TpShocks.exe" [2008-06-06 181536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2008-06-19 666176]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 141848]
"SupportSoft_AMER_CSCi"="c:\program files\SupportSoft_AMER_CSCi\bin\sprtcmd.exe" [2008-10-23 202016]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-26 124224]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2010-06-15 979104]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2010-10-15 140608]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-05 273544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\hvashishtha\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\hvashishtha\Application Data\Dropbox\bin\Dropbox.exe [2011-3-30 23360040]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2011-3-2 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-10-26 23:41 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0150439]
IME file REG_SZ hiwebd.ime
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200439]
Ime File REG_SZ GOOGLEINPUT_HI.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Evernote Clipper.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk
backup=c:\windows\pss\Evernote Clipper.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^hvashishtha^Start Menu^Programs^Startup^Locate32 Autorun.lnk]
path=c:\documents and settings\hvashishtha\Start Menu\Programs\Startup\Locate32 Autorun.lnk
backup=c:\windows\pss\Locate32 Autorun.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-12 00:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-02 03:45 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 01:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-hostd.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\hvashishtha\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [6/19/2008 3:54 PM 222016]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [5/5/2011 10:52 AM 13496]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 4:21 PM 19496]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [4/26/2011 1:24 PM 352656]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [10/26/2008 6:33 PM 1676536]
R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [4/25/2007 1:25 PM 36960]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [10/26/2008 6:38 PM 98304]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [6/15/2010 10:50 AM 1498224]
R2 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [10/26/2010 11:15 AM 35696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/25/2010 9:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/26/2010 11:02 AM 69192]
R2 NightWatchman50;NightWatchman50;c:\program files\1E\NightWatchman50\NwmSvc.exe [5/27/2009 3:31 PM 1000728]
R2 NwmSleepless;NwmSleepless;c:\windows\system32\drivers\NwmSleepless.sys [3/25/2010 9:46 AM 42488]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [6/19/2008 3:55 PM 612928]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [6/19/2008 3:55 PM 145984]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [10/23/2008 6:36 AM 1213728]
R2 sprtsvc_supportsoft_amer_csci;SupportSoft Sprocket Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe [10/23/2008 6:36 AM 202016]
R2 tgsrvc_supportsoft_amer_csci;SupportSoft Repair Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe [10/23/2008 6:36 AM 148768]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [1/27/2010 5:20 AM 2058776]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/12/2008 2:24 PM 54960]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [10/22/2009 4:53 AM 482176]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/22/2009 12:07 PM 243856]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [1/27/2010 6:27 AM 26137]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [10/26/2010 11:15 AM 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [10/26/2010 11:15 AM 107960]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [10/26/2010 11:15 AM 38680]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [10/26/2010 11:15 AM 35552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 12:55 AM 136176]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [10/26/2008 6:38 PM 106496]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\CSC VPN Client\Extranet_serv.exe [1/27/2010 6:26 AM 835584]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [10/26/2008 6:41 PM 118784]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [10/26/2010 11:15 AM 44680]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 12:55 AM 136176]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [1/27/2010 6:27 AM 155152]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/26/2010 11:02 AM 66536]
S3 OracleForm_Report_6iClientCache80;OracleForm_Report_6iClientCache80;c:\oracle\Form_Report_6i\BIN\ONR​SD80.EXE [2/23/2011 10:32 AM 101136]
S3 VMwareHostd;VMware Host Agent;c:\program files\VMware\VMware Server\vmware-hostd.exe [10/12/2008 2:24 PM 322096]
S3 VMwareServerWebAccess;VMware Server Web Access;c:\program files\VMware\VMware Server\tomcat\bin\tomcat6.exe [10/12/2008 2:27 PM 57344]
S3 vmwriter;VMware VSS Writer;c:\program files\VMware\VMware Server\vmVssWriter.exe [10/12/2008 2:24 PM 29744]
UnknownUnknown dsload;dsload; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - dsgrab_01caf5f1f8216bc6
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ADBFIX]
2010-04-23 22:25 121300 ----a-w- c:\program files\Patches\Stub\ADB_Stub.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F88A5DAF-F376-4C6F-898A-FF57E45A340E}]
2008-04-14 04:42 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-04-26 21:54]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 05:55]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 05:55]
.
2011-05-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
2011-05-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1089317445-1860156405-1949850565-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
2011-05-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1089317445-1860156405-1949850565-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
2011-05-23 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-05-05 22:29]
.
2011-05-23 c:\windows\Tasks\User_Feed_Synchronization-{4C0602A8-9E3D-4A08-9E3C-FC3E24E5190E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = bastion2.us.dnb.com:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with XmlPad - c:\program files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll/101
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
LSP: c:\program files\VMware\VMware Server\vsocklib.dll
Trusted Zone: cscusaae657934
Trusted Zone: dnb.com\hp205.us
Trusted Zone: powerdesigninc.us\dcvworappdev
Handler: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - c:\program files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} - hxxp://10.1.9.80:8080/vminet_images/vmi660ie.cab
FF - ProfilePath - c:\documents and settings\hvashishtha\Application Data\Mozilla\Firefox\Profiles\s33z3seg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.ftp - bastion2.us.dnb.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - bastion2.us.dnb.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - bastion2.us.dnb.com
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - bastion2.us.dnb.com
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Swazabejuy - c:\windows\sp71032.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-GoToMeeting - c:\program files\Citrix\GoToMeeting\457\g2mstart.exe
HKLM_ActiveSetup-{6D41A1F6-0687-4EFF-A47A-0BA7C5D7A5AE} - msiexec
HKLM_ActiveSetup-{8C6E96B4-89FE-4C23-A1FF-0E46960ED40C} - msiexec
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 09:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\PerfStringBackup.TMP 543002 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\pssogina.dll
c:\windows\system32\atginahook.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.DLL
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\AFSSClientLib.dll
c:\windows\system32\PssoCM32.dll
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
.
- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
.
- - - - - - - > 'explorer.exe'(4820)
c:\documents and settings\hvashishtha\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(832)
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\ibm\Lotus\Notes\ntmulti.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\oracle\ora92\bin\omtsreco.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\1E\NightWatchman50\NWMCLI.EXE
c:\windows\system32\TpShocks.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.59\data\sum.exe
c:\program files\cscmarimba\tuner\lib\jre\bin\java.exe
.
**************************************************************************
.
Completion time: 2011-05-23 09:45:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-23 14:45
.
Pre-Run: 21,516,189,696 bytes free
Post-Run: 18,305,007,616 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
- - End Of File - - 7FC9CD8F75762BE82C822E3B957730B1

(23-05-2011 16:08)miekiemoes schreef:  Hi,

Please try to run Combofix from Windows safe mode.

[miekiemoes]

Hi,

This looks OK again. Please let me know if the searchredirects are gone now.
Also, I see there's a policy set related with automatic windows updates. I assume your company has set this? (since quite a lot of companies disable this).

[hvashishtha]

Thaks for your quick update. I have not tried any of the search after combofix. I will update this post as the day goes by and I use the web search throughout the day.

Regards
Hitesh

(23-05-2011 17:17)miekiemoes schreef:  Hi,

This looks OK again. Please let me know if the searchredirects are gone now.
Also, I see there's a policy set related with automatic windows updates. I assume your company has set this? (since quite a lot of companies disable this).

[miekiemoes]

Ok, let me know

[hvashishtha]

Looks like the problem is gone. Any idea what was causing it and how it came so that I can avoid it in future.

Thanks for all the help and support. You are really great.

(23-05-2011 21:56)miekiemoes schreef:  Ok, let me know

[miekiemoes]

Hi,

It was a hidden firefox extension that was installed here that caused the redirects.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!