Google Links Redirect Me to a Different Website

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Google Links Redirect Me to a Different Website I can't get rid of it.

#1 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 13 February 2009 - 02:31 PM

Hey everyone. Lately I started noticing that when I use search engines (usually Google), the links I click usually redirect me to different websites 2-3 times before they finally allow me to get to the desired site. I've run spyware programs, and nothing seems to help. Could someone take a look at my HJT logfile and see if they can help me? Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:42 AM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nikko\My Documents\test123123\Taskbar Magic.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206462971859
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.schwab.com/svordp/,DanaInfo=...b.com+msrdp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - https://remote.schwab.com/dana-cached/setup...perSetupSP1.cab
O20 - AppInit_DLLs: ajgire.dll
O20 - Winlogon Notify: rqRHyyAR - rqRHyyAR.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

--
End of file - 5292 bytes

#2 Blade81

Bleepin' Rocker

Group: Malware Response Team
Posts: 6,259
Joined: 16-October 06
Gender:Male
Location:Finland

Posted 20 February 2009 - 04:07 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh hjt log, please.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#3 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 22 February 2009 - 06:32 PM

No problem. :thumbup2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:57 PM, on 2/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Nikko\My Documents\test123123\Taskbar Magic.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206462971859
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.schwab.com/svordp/,DanaInfo=...b.com+msrdp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - https://remote.schwab.com/dana-cached/setup...perSetupSP1.cab
O20 - AppInit_DLLs: ajgire.dll
O20 - Winlogon Notify: rqRHyyAR - rqRHyyAR.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

--
End of file - 5678 bytes

#4 Blade81

Bleepin' Rocker

Group: Malware Response Team
Posts: 6,259
Joined: 16-October 06
Gender:Male
Location:Finland

Posted 23 February 2009 - 03:40 AM

Ok, then we start :thumbup2:

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image

#5 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 23 February 2009 - 07:38 PM

Thanks for the help, Blade81.

Here are the logs you asked for.

ComboFix 09-02-21.01 - Nikko 2009-02-23 16:28:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2601 [GMT -8:00]
Running from: c:\documents and settings\Nikko\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\x13
c:\windows\system32\x13\VE2PIX5.exe
c:\windows\system32\Z55
c:\windows\system32\Z55\rTE4106D.exe
c:\windows\Tasks\bpoaxneq.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-19 17:12 . 2009-02-19 17:12 168 --a------ c:\windows\system32\msexcr.ini
2009-02-17 16:45 . 2009-02-17 16:45 <DIR> d-------- c:\program files\My Company Name
2009-02-17 16:45 . 2009-02-17 16:45 <DIR> d-------- c:\program files\Common Files\LogiShrd
2009-02-16 16:28 . 2009-02-16 16:59 <DIR> d-------- c:\program files\MapleStory V62
2009-02-13 21:38 . 2009-02-13 21:38 <DIR> d-------- c:\program files\TeamViewer
2009-02-13 11:26 . 2009-02-13 11:26 <DIR> d-------- c:\program files\Trend Micro
2009-02-12 20:16 . 2009-02-12 21:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-12 20:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-12 20:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-10 15:55 . 2009-02-20 21:12 <DIR> d-------- C:\.xplorez2_file_store_32
2009-02-10 15:52 . 2009-02-10 15:52 <DIR> d-------- C:\.janescapev8_file_store_32
2009-02-10 09:54 . 2009-02-12 20:22 <DIR> d-------- c:\windows\system32\Adobe
2009-02-09 12:54 . 2009-02-09 12:54 61,440 --a------ c:\windows\system32\drivers\ygvdd.sys
2009-02-09 12:43 . 2009-02-09 12:43 212,859 --a------ c:\temp\iUA326V.exe
2009-02-09 12:35 . 2009-02-09 12:35 <DIR> d-------- c:\documents and settings\Nikko\Application Data\Malwarebytes
2009-02-09 12:35 . 2009-02-09 12:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-09 12:34 . 2009-02-12 21:24 1,104 --a------ c:\windows\cuoapvvh
2009-02-05 20:39 . 2009-02-05 20:39 <DIR> d-------- c:\program files\iPod
2009-02-05 20:39 . 2009-02-05 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-05 20:38 . 2009-02-05 20:38 <DIR> d-------- c:\program files\QuickTime
2009-02-05 20:37 . 2009-02-05 20:37 <DIR> d-------- c:\program files\Apple Software Update
2009-02-05 18:34 . 2009-02-05 18:34 0 --a------ c:\windows\OpPrintServer.INI
2009-02-05 18:29 . 2009-02-05 18:38 <DIR> d-------- c:\program files\Canon
2009-01-31 14:33 . 2009-01-31 14:33 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-31 14:33 . 2009-01-31 14:33 <DIR> d-------- c:\program files\GabbaSoft
2009-01-25 13:29 . 2009-01-19 11:01 <DIR> d-------- c:\windows\.file_store_32
2009-01-24 15:27 . 2009-01-24 15:27 <DIR> d-------- c:\program files\Adobe Media Player
2009-01-24 15:25 . 2009-01-24 15:25 <DIR> d-------- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 00:30 --------- d-----w c:\program files\Steam
2009-02-24 00:29 399,464 ----a-w c:\windows\system32\drivers\sthdae.log
2009-02-21 19:21 --------- d-----w c:\documents and settings\Nikko\Application Data\FrostWire
2009-02-17 00:28 --------- d-----w c:\program files\MapleStoryV.59
2009-02-16 21:46 --------- d-----w c:\program files\HyCam2
2009-02-14 04:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-14 04:02 --------- d-----w c:\documents and settings\Nikko\Application Data\Publish Providers
2009-02-13 17:56 --------- d-----w c:\program files\FrostWire
2009-02-13 16:56 --------- d-----w c:\program files\Image-Line
2009-02-13 16:56 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-06 04:39 --------- d-----w c:\program files\iTunes
2009-02-06 04:39 --------- d-----w c:\program files\Common Files\Apple
2009-02-06 04:38 --------- d-----w c:\program files\Bonjour
2009-02-06 04:38 --------- d-----w c:\documents and settings\Nikko\Application Data\Apple Computer
2009-02-06 02:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-25 21:32 31 ----a-w c:\documents and settings\Nikko\jagex_runescape_preferences.dat
2009-01-24 23:28 --------- d-----w c:\program files\Common Files\Adobe
2009-01-24 18:24 --------- d-----w c:\documents and settings\Nikko\Application Data\Download Manager
2009-01-06 03:07 --------- d-----w c:\program files\Activision
2009-01-04 05:22 --------- d-----w c:\documents and settings\Nikko\Application Data\Ulead Systems
2009-01-04 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-01-04 02:00 --------- d-----w c:\program files\Common Files\Ulead Systems
2009-01-04 00:28 --------- d-----w c:\program files\Windows Media Components
2009-01-04 00:27 --------- d-----w c:\program files\Ulead Systems
2008-12-29 23:16 --------- d-----w c:\documents and settings\Nikko\Application Data\Arcsoft
2008-12-29 23:15 --------- d-----w c:\program files\ArcSoft
2008-12-29 22:13 --------- d-----w c:\documents and settings\Nikko\Application Data\tmp
2008-12-29 22:13 --------- d-----w c:\documents and settings\Nikko\Application Data\Reallusion
2008-12-28 23:24 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-28 23:24 22,328 ----a-w c:\documents and settings\Nikko\Application Data\PnkBstrK.sys
2008-12-28 23:11 --------- d-----w c:\program files\id Software
2008-12-27 23:45 --------- d-----w c:\program files\VstPlugins
2008-12-27 23:45 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-12-27 23:26 --------- d-----w c:\program files\RocketDock
2008-12-25 02:52 --------- d-----w c:\documents and settings\Nikko\Application Data\Hamachi
2008-12-25 00:18 --------- d-----w c:\program files\Outsim
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Steam"="c:\program files\Steam\Steam.exe" [2009-01-30 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-04-05 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-03-09 252704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ajgire.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-07-03 12:57 1228800 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
--------- 2007-07-27 15:43 118784 c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2006-07-26 02:40 102400 c:\program files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-05-16 15:50 162328 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-05-16 15:50 137752 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
--a------ 2007-05-09 17:01 36864 c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-05-16 15:50 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-01-30 20:56 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-26 09:51 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-10-26 13:14 1024000 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
--------- 2006-08-09 05:27 36864 c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XAudioService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"StkASSrv"=2 (0x2)
"STacSV"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\x_retard_x\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-03-25 105984]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2007-06-07 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-03-05 7424]
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-rqRHyyAR - rqRHyyAR.dll
MSConfigStartUp-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe
MSConfigStartUp-ShStatEXE - c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Nikko\Application Data\Mozilla\Firefox\Profiles\2d0bzquc.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\Nikko\Application Data\Mozilla\Firefox\Profiles\2d0bzquc.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 16:30:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-23 16:35:14 - machine was rebooted [Nikko]
ComboFix-quarantined-files.txt 2009-02-24 00:35:11

Pre-Run: 124,919,291,904 bytes free
Post-Run: 130,818,768,896 bytes free

241 --- E O F --- 2009-01-14 11:02:28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:54 PM, on 2/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Nikko\My Documents\test123123\Taskbar Magic.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206462971859
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.schwab.com/svordp/,DanaInfo=...b.com+msrdp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - https://remote.schwab.com/dana-cached/setup...perSetupSP1.cab
O20 - AppInit_DLLs: ajgire.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 5393 bytes

#6 Blade81

Bleepin' Rocker

Group: Malware Response Team
Posts: 6,259
Joined: 16-October 06
Gender:Male
Location:Finland

Posted 24 February 2009 - 03:32 AM

Hi again

I recommend removing P2P programs like Frostwire from your system. Major parts of infection spreads nowadays in P2P networks.

Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\msexcr.ini
c:\windows\system32\drivers\ygvdd.sys
c:\temp\iUA326V.exe
c:\windows\cuoapvvh

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image

#7 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 24 February 2009 - 09:36 PM

After I ran ComboFix and my computer rebooted, neither the CMD prompt nor a log came up.
Am I supposed to do it again? Because it already said it deleted some files.

Here is the HJT log and Kaspersky report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:35, on 2009-02-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Nikko\My Documents\test123123\Taskbar Magic.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206462971859
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.schwab.com/svordp/,DanaInfo=...b.com+msrdp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - https://remote.schwab.com/dana-cached/setup...perSetupSP1.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 5448 bytes

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 24, 2009 15:19:48
Records in database: 1839260
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 164598
Threat name: 5
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:36:16

File name / Threat name / Threats count
C:\Documents and Settings\Nikko\My Documents\FrostWire\Incomplete\T-3545427-lupe killer - high quality.mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Qoobox\Quarantine\C\Temp\iUA326V.exe.vir Infected: Trojan-Downloader.Win32.Agent.bfjx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Z55\rTE4106D.exe.vir Infected: Trojan-Downloader.Win32.Agent.bfjx 1
C:\System Volume Information\_restore{D2406541-0E85-4688-ABAD-6E2E57A3AB96}\RP166\A0356128.dll Infected: Trojan.Win32.Monder.aysm 1
C:\System Volume Information\_restore{D2406541-0E85-4688-ABAD-6E2E57A3AB96}\RP170\A0364152.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jju 1
C:\System Volume Information\_restore{D2406541-0E85-4688-ABAD-6E2E57A3AB96}\RP170\A0364153.dll Infected: Trojan.Win32.Monder.azws 1
C:\System Volume Information\_restore{D2406541-0E85-4688-ABAD-6E2E57A3AB96}\RP170\A0364156.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jju 1
C:\System Volume Information\_restore{D2406541-0E85-4688-ABAD-6E2E57A3AB96}\RP179\A0384021.exe Infected: Trojan-Downloader.Win32.Agent.bfjx 1

The selected area was scanned.

#8 Blade81

Bleepin' Rocker

Group: Malware Response Team
Posts: 6,259
Joined: 16-October 06
Gender:Male
Location:Finland

Posted 25 February 2009 - 10:25 AM

Hi

Please see if you can find ComboFix.txt file in either root of your c: drive (c:\) or in c:\combofix folder.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image

#9 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 25 February 2009 - 10:36 AM

This is the one I found in my ComboFix folder.

ComboFix 09-02-21.01 - Nikko 2009-02-24 7:19:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2572 [GMT -8:00]
Running from: C:\Documents and Settings\Nikko\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nikko\My Documents\CFScript.txt
* Created a new restore point

FILE ::
c:\temp\iUA326V.exe
c:\windows\cuoapvvh
c:\windows\system32\drivers\ygvdd.sys
c:\windows\system32\msexcr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\iUA326V.exe
c:\windows\cuoapvvh
c:\windows\system32\drivers\ygvdd.sys
c:\windows\system32\msexcr.ini

.
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-24 07:06 . 2009-02-24 07:06 <DIR> d-------- C:\WINDOWS\LastGood
2009-02-23 16:37 . 2008-12-20 15:15 6,066,688 --a------ C:\WINDOWS\system32\SET19.tmp
2009-02-23 16:37 . 2008-12-20 15:15 1,160,192 --a------ C:\WINDOWS\system32\SETA.tmp
2009-02-23 16:37 . 2008-12-20 15:15 826,368 --a------ C:\WINDOWS\system32\SET8.tmp
2009-02-23 16:37 . 2008-12-20 15:15 459,264 --a------ C:\WINDOWS\system32\SET13.tmp
2009-02-23 16:37 . 2008-12-20 15:15 383,488 --a------ C:\WINDOWS\system32\SET1B.tmp
2009-02-23 16:37 . 2008-12-20 15:15 267,776 --a------ C:\WINDOWS\system32\SET17.tmp
2009-02-23 16:37 . 2008-12-20 15:15 233,472 --a------ C:\WINDOWS\system32\SET9.tmp
2009-02-23 16:37 . 2008-12-20 15:15 105,984 --a------ C:\WINDOWS\system32\SETB.tmp
2009-02-23 16:37 . 2008-12-20 15:15 63,488 --a------ C:\WINDOWS\system32\SET20.tmp
2009-02-23 16:37 . 2008-12-20 15:15 52,224 --a------ C:\WINDOWS\system32\SET12.tmp
2009-02-17 16:45 . 2009-02-17 16:45 <DIR> d-------- C:\Program Files\My Company Name
2009-02-17 16:45 . 2009-02-17 16:45 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2009-02-16 16:28 . 2009-02-16 16:59 <DIR> d-------- C:\Program Files\MapleStory V62
2009-02-13 21:38 . 2009-02-13 21:38 <DIR> d-------- C:\Program Files\TeamViewer
2009-02-13 11:26 . 2009-02-13 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2009-02-12 20:16 . 2009-02-12 21:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-12 20:16 . 2009-02-11 10:19 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-02-12 20:16 . 2009-02-11 10:19 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-02-10 15:55 . 2009-02-20 21:12 <DIR> d-------- C:\.xplorez2_file_store_32
2009-02-10 15:52 . 2009-02-10 15:52 <DIR> d-------- C:\.janescapev8_file_store_32
2009-02-10 09:54 . 2009-02-12 20:22 <DIR> d-------- C:\WINDOWS\system32\Adobe
2009-02-09 12:35 . 2009-02-09 12:35 <DIR> d-------- C:\Documents and Settings\Nikko\Application Data\Malwarebytes
2009-02-09 12:35 . 2009-02-09 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-05 20:39 . 2009-02-05 20:39 <DIR> d-------- C:\Program Files\iPod
2009-02-05 20:39 . 2009-02-05 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-05 20:38 . 2009-02-05 20:38 <DIR> d-------- C:\Program Files\QuickTime
2009-02-05 20:37 . 2009-02-05 20:37 <DIR> d-------- C:\Program Files\Apple Software Update
2009-02-05 18:34 . 2009-02-05 18:34 0 --a------ C:\WINDOWS\OpPrintServer.INI
2009-02-05 18:29 . 2009-02-05 18:38 <DIR> d-------- C:\Program Files\Canon
2009-01-31 14:33 . 2009-01-31 14:33 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2009-01-31 14:33 . 2009-01-31 14:33 <DIR> d-------- C:\Program Files\GabbaSoft
2009-01-25 13:29 . 2009-01-19 11:01 <DIR> d-------- C:\WINDOWS\.file_store_32
2009-01-24 15:27 . 2009-01-24 15:27 <DIR> d-------- C:\Program Files\Adobe Media Player
2009-01-24 15:25 . 2009-01-24 15:25 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 15:08 --------- d-----w C:\Program Files\Common Files\Adobe
2009-02-24 15:04 400,424 ----a-w C:\WINDOWS\system32\drivers\sthdae.log
2009-02-24 15:04 --------- d-----w C:\Program Files\Steam
2009-02-21 19:21 --------- d-----w C:\Documents and Settings\Nikko\Application Data\FrostWire
2009-02-17 00:28 --------- d-----w C:\Program Files\MapleStoryV.59
2009-02-16 21:46 --------- d-----w C:\Program Files\HyCam2
2009-02-14 04:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-14 04:02 --------- d-----w C:\Documents and Settings\Nikko\Application Data\Publish Providers
2009-02-13 16:56 --------- d-----w C:\Program Files\Image-Line
2009-02-13 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-02-06 04:39 --------- d-----w C:\Program Files\iTunes
2009-02-06 04:39 --------- d-----w C:\Program Files\Common Files\Apple
2009-02-06 04:38 --------- d-----w C:\Program Files\Bonjour
2009-02-06 04:38 --------- d-----w C:\Documents and Settings\Nikko\Application Data\Apple Computer
2009-02-06 02:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-01-25 21:32 31 ----a-w C:\Documents and Settings\Nikko\jagex_runescape_preferences.dat
2009-01-24 18:24 --------- d-----w C:\Documents and Settings\Nikko\Application Data\Download Manager
2009-01-17 05:35 3,594,752 ----a-w C:\WINDOWS\system32\SET11.tmp
2009-01-06 03:07 --------- d-----w C:\Program Files\Activision
2009-01-04 05:22 --------- d-----w C:\Documents and Settings\Nikko\Application Data\Ulead Systems
2009-01-04 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2009-01-04 02:00 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2009-01-04 00:28 --------- d-----w C:\Program Files\Windows Media Components
2009-01-04 00:27 --------- d-----w C:\Program Files\Ulead Systems
2008-12-29 23:16 --------- d-----w C:\Documents and Settings\Nikko\Application Data\Arcsoft
2008-12-29 23:15 --------- d-----w C:\Program Files\ArcSoft
2008-12-29 22:13 --------- d-----w C:\Documents and Settings\Nikko\Application Data\tmp
2008-12-29 22:13 --------- d-----w C:\Documents and Settings\Nikko\Application Data\Reallusion
2008-12-28 23:24 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-12-28 23:24 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-12-28 23:24 22,328 ----a-w C:\Documents and Settings\Nikko\Application Data\PnkBstrK.sys
2008-12-28 23:24 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-12-28 23:11 --------- d-----w C:\Program Files\id Software
2008-12-27 23:45 --------- d-----w C:\Program Files\VstPlugins
2008-12-27 23:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-12-27 23:26 --------- d-----w C:\Program Files\RocketDock
2008-12-25 02:52 --------- d-----w C:\Documents and Settings\Nikko\Application Data\Hamachi
2008-12-25 00:18 --------- d-----w C:\Program Files\Outsim
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_16.34.31.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w C:\WINDOWS\ie7updates\KB961260-IE7\wininet.dll
+ 2007-12-12 23:06:42 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-10-16 20:38:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2009-01-17 05:35:14 3,594,752 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-10-16 20:38:39 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-10-16 20:38:34 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-10-16 13:11:09 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2008-10-16 20:38:35 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2008-10-16 20:38:37 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2008-10-16 13:11:09 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2009-01-10 01:35:28 20,853,704 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-10-16 20:38:38 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 07:21 50472]
"Steam"="C:\Program Files\Steam\Steam.exe" [2009-01-30 20:56 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 07:58 611712]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 14:16 111936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-01-05 16:18 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-01-06 13:06 290088]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-04-05 10:46 488984]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-03-09 13:59 252704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-07-03 12:57 1228800 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
--------- 2007-07-27 15:43 118784 C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2006-07-26 02:40 102400 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-05-16 15:50 162328 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-05-16 15:50 137752 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
--a------ 2007-05-09 17:01 36864 C:\WINDOWS\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-05-16 15:50 137752 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-01-30 20:56 1410296 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-26 09:51 136600 C:\Program Files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-10-26 13:14 1024000 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
--------- 2006-08-09 05:27 36864 C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XAudioService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"StkASSrv"=2 (0x2)
"STacSV"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Safari\\Safari.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"C:\\Program Files\\Steam\\steamapps\\x_retard_x\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;C:\WINDOWS\system32\drivers\IntcHdmi.sys [2008-03-25 09:50:14 105984]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;C:\WINDOWS\system32\drivers\OEM02Afx.sys [2007-06-07 17:00:02 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\drivers\OEM02Dev.sys [2007-10-10 17:03:00 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\drivers\OEM02Vfx.sys [2007-03-05 10:45:04 7424]
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - C:\Documents and Settings\Nikko\Application Data\Mozilla\Firefox\Profiles\2d0bzquc.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: C:\Documents and Settings\Nikko\Application Data\Mozilla\Firefox\Profiles\2d0bzquc.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

#10 Blade81

Bleepin' Rocker

Group: Malware Response Team
Posts: 6,259
Joined: 16-October 06
Gender:Male
Location:Finland

Posted 26 February 2009 - 02:00 AM

Hi

Delete C:\Documents and Settings\Nikko\My Documents\FrostWire\Incomplete\T-3545427-lupe killer - high quality.mp3 file and post a fresh hjt log. How's the system running?

This post has been edited by Blade81: 26 February 2009 - 02:00 AM

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image

#11 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 26 February 2009 - 10:03 AM

Hi Blade. My system is running fine but I'm still being redirected when I click on Google links..

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:02, on 2009-02-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Nikko\My Documents\test123123\Taskbar Magic.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206462971859
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.schwab.com/svordp/,DanaInfo=...b.com+msrdp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - https://remote.schwab.com/dana-cached/setup...perSetupSP1.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 5478 bytes

#12 Blade81

Bleepin' Rocker

Group: Malware Response Team
Posts: 6,259
Joined: 16-October 06
Gender:Male
Location:Finland

Posted 26 February 2009 - 01:24 PM

Hi

Does the redirecting occur only with Firefox or with it and IE both?

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Upload following file to http://www.virustotal.com and post back the results:
c:\documents and settings\Nikko\Application Data\Mozilla\Firefox\Profiles\2d0bzquc.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

Download GMER and save it your desktop:

Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image

#13 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 26 February 2009 - 07:26 PM

I only use Firefox and Safari. I don't use IE.

Here are the virustotal.com results:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.02.27 -
AntiVir 7.9.0.93 2009.02.26 -
Authentium 5.1.0.4 2009.02.27 -
Avast 4.8.1335.0 2009.02.26 -
AVG 8.0.0.237 2009.02.26 -
BitDefender 7.2 2009.02.27 -
CAT-QuickHeal 10.00 2009.02.26 -
ClamAV 0.94.1 2009.02.26 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.27 -
eSafe 7.0.17.0 2009.02.26 -
eTrust-Vet 31.6.6375 2009.02.26 -
F-Prot 4.4.4.56 2009.02.26 -
F-Secure 8.0.14470.0 2009.02.27 -
Fortinet 3.117.0.0 2009.02.26 -
GData 19 2009.02.27 -
Ikarus T3.1.1.45.0 2009.02.26 -
K7AntiVirus 7.10.648 2009.02.26 -
Kaspersky 7.0.0.125 2009.02.27 -
McAfee 5537 2009.02.26 -
McAfee+Artemis 5537 2009.02.26 -
Microsoft 1.4306 2009.02.26 -
NOD32 3893 2009.02.26 -
Norman 6.00.06 2009.02.26 -
nProtect 2009.1.8.0 2009.02.26 -
Panda 10.0.0.10 2009.02.26 -
PCTools 4.4.2.0 2009.02.26 -
Prevx1 V2 2009.02.27 -
Rising 21.18.32.00 2009.02.26 -
SecureWeb-Gateway 6.0.0 2009.02.26 -
Sophos 4.39.0 2009.02.26 -
Sunbelt 3.2.1858.2 2009.02.26 -
Symantec 10 2009.02.27 -
TheHacker 6.3.2.5.266 2009.02.26 -
TrendMicro 8.700.0.1004 2009.02.26 -
VBA32 3.12.10.1 2009.02.26 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2009.2.26.1625 2009.02.26 -
VirusBuster 4.5.11.0 2009.02.26 -

GMER Scan:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-26 16:44:23
Windows 5.1.2600 Service Pack 2

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegQueryValueExA] [0101E03A] c:\program files\aim6\services\imApp\ver6_8_12_4\imAppService.dll (imAppService EE Application Service/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\Iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\Iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2120] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2580] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\wOrder@ProviderOrder AdobeDriveCS4_NP,RDPNP,LanmanWorkstation,WebClient
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.14 ----

This post has been edited by .seRGe: 26 February 2009 - 07:44 PM

#14 Blade81

Bleepin' Rocker

Group: Malware Response Team
Posts: 6,259
Joined: 16-October 06
Gender:Male
Location:Finland

Posted 27 February 2009 - 06:56 AM

Hi

Do you connect through a router? If you do, please reset its settings to factory defaults (there should be reset button/hole there). Then change router password to stronger one from default.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image

#15 .seRGe

Member

Group: Members
Posts: 22
Joined: 13-February 09

Posted 27 February 2009 - 10:10 AM

Yes I connect through a router, but I'm not sure I can restore do defaults because there's specific settings on there.

I'm able to change the password though through the computer the modem is connected to.

This post has been edited by .seRGe: 27 February 2009 - 10:11 AM