Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack? Please View This Log!


  • Please log in to reply
28 replies to this topic

#1 buttercup70

buttercup70

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 01 October 2008 - 09:23 PM

Hello - I am not sure what type of infection I have. When I do a yahoo, google, msn, etc. search it returns results that are very spammy looking i.e. monstermarketplace.com, find.com, shopzilla.com. I have not been able to do a good search in about a month. I did all the recommend preparation except that I couldn't get bitdefender to work properly. Any help with this log would be appreciated - thanks for all that you are doing for us!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:17 PM, on 10/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Provided by The Village Link
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219961288671
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC36EE5F-7A0F-4606-A7B3-4B02E2B03AB4}: NameServer = 207.251.194.54 207.251.194.55
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9667 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 02 October 2008 - 04:28 PM

Hi

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 buttercup70

buttercup70
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 03 October 2008 - 03:46 PM

Hi Steam and thanks for your quick reply! Here are the logs you requested:

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 1

10/2/2008 8:48:59 PM
mbam-log-2008-10-02 (20-48-59).txt

Scan type: Quick Scan
Objects scanned: 49439
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 08-10-03.01 - Owner 2008-10-03 16:21:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.143 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.

2008-10-02 18:35 . 2008-10-02 20:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-02 18:35 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-02 18:24 . 2008-10-02 18:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 22:23 . 2008-10-01 22:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 21:42 . 2008-10-01 21:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-10-01 21:42 . 2008-10-01 21:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-10-01 18:18 . 2008-10-01 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-01 16:36 . 2008-10-01 20:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-01 16:36 . 2008-10-01 16:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-30 21:37 . 2008-09-30 21:37 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-30 16:48 . 2008-09-30 16:48 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-29 20:02 . 2008-09-29 20:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-29 20:02 . 2008-09-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-29 16:42 . 2008-09-29 15:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-29 15:43 . 2008-09-29 17:09 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-09-28 20:49 . 2008-09-28 20:49 <DIR> d-------- C:\WINDOWS\Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 19:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-01 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-01 21:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-01 03:09 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-09-21 00:43 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-09-14 00:22 --------- d-----w C:\Program Files\Microsoft Games
2008-09-02 14:56 --------- d-----w C:\Program Files\Palm
2008-08-18 20:27 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-18 20:26 --------- d-----w C:\Program Files\Coupons
2008-08-18 20:26 --------- d-----w C:\Program Files\BackWeb
2008-08-18 20:25 --------- d-----w C:\Program Files\interMute
2008-08-18 20:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-08-18 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 20:24 --------- d-----w C:\Program Files\Quicken
2008-08-18 20:22 --------- d-----w C:\Program Files\Atari
2008-08-18 20:21 --------- d-----w C:\Program Files\FoneSync
2008-08-13 21:37 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-13 21:37 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-13 21:37 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-13 21:37 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-13 21:37 --------- d-----w C:\Program Files\Symantec
2008-08-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2001-07-26 20:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 14:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 19:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 13:54 768 ----a-w C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

----a-w 81,920 2005-02-16 20:15:20 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
----a-w 86,960 2006-09-11 09:40:34 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

----a-w 221,184 2005-02-16 20:15:22 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 218,032 2006-09-11 09:40:32 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

----a-w 151,597 2004-01-21 03:22:21 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 16:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 59,040 2006-04-13 17:20:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 116,328 2007-06-05 02:05:44 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 218,240 2004-11-02 21:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 32,768 2004-01-09 09:34:10 C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe
----a-w 32,768 2004-01-08 22:34:10 C:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe

----a-w 49,152 2003-08-21 11:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 32,881 2004-01-21 01:53:45 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 53,248 2001-07-11 15:08:38 C:\Program Files\LexmarkX73\bak\AcBtnMgr_X73.exe

----a-w 53,248 2001-05-17 03:01:14 C:\Program Files\LexmarkX73\bak\ACMonitor_X73.exe

----a-w 28,739 2000-08-08 20:00:00 C:\Program Files\Microsoft Works\bak\WkDetect.exe

----a-w 725,046 2002-07-11 11:10:32 C:\Program Files\Microsoft Works\bak\WksSb.exe

----a-w 135,168 2003-10-29 15:17:30 C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe

----a-w 1,003,520 2006-05-30 01:19:42 C:\Program Files\Real\RealOne Player\bak\realplay.exe

----a-w 100,056 2006-08-25 04:50:55 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 763,392 2001-04-10 19:46:10 C:\Program Files\Toshiba\InstantWrite\bak\IWCTRL.EXE

----a-w 184,784 2003-10-09 21:31:52 C:\Program Files\WildTangent\Apps\bak\GameChannel.exe

----a-w 221,184 2003-11-04 00:50:40 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 483,328 2003-08-21 11:15:48 C:\WINDOWS\system32\bak\hphmon05.exe

----a-w 81,920 2002-10-16 23:57:10 C:\WINDOWS\system32\bak\ps2.exe

----a-w 36,864 2001-08-17 13:58:54 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-08 32768]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-12-05 3022848]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"PDUiP6210DMon"="C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe" [2005-05-06 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 116328]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-06-26 771440]
"PhoneTray"="C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe" [2007-08-15 839680]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"VTTimer"="VTTimer.exe" [N/A]
"LTMSG"="LTMSG.exe" [2003-07-14 C:\WINDOWS\ltmsg.exe]
"nwiz"="nwiz.exe" [2003-12-05 C:\WINDOWS\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-10-01 57344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
"aux"= sysaudio.sys

R1 Asapi;ASAPI;C:\WINDOWS\System32\drivers\Asapi.sys [2000-01-08 10240]
R1 CDRDRV;CDRDRV;C:\WINDOWS\System32\drivers\CDRDRV.sys [2001-04-11 45056]
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys [2000-09-07 9728]
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys [2001-04-11 186368]
R3 PhoneTrayDriver;PhoneTrayDriver;C:\WINDOWS\System32\Drivers\ptdrv.sys [2007-06-18 22272]
S1 vobfat;vobfat;C:\WINDOWS\System32\drivers\vobfat.sys [2000-08-25 7680]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-24 68922]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38ea8x40.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 16:22:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-10-03 16:25:21
ComboFix-quarantined-files.txt 2008-10-03 20:24:37
ComboFix2.txt 2008-10-03 19:49:43
ComboFix3.txt 2008-10-03 19:26:51

Pre-Run: 130,958,028,800 bytes free
Post-Run: 130,945,101,824 bytes free

168 --- E O F --- 2007-09-03 19:01:20


Any help would be appreciated!

Kim

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 03 October 2008 - 04:53 PM

HI

I see you've run Combofix 3 times ... I'd like you to post the other reports as well please ...

Also run this :-

Please download FindAWF by noahdfear http://noahdfear.geekstogo.com/FindAWF.exe and save it to your desktop:
* Please double-click FindAWF.exe to run it.
* If a security alert shows, allow the program to run.
* When the tool has completed, a report will open in Notepad.
* Please post the results of the awf.txt in your next reply.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 buttercup70

buttercup70
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 04 October 2008 - 10:18 PM

Hello again Steam -

Here is my most recent combofix log, I don't know how to go back and view previous logs so I ran an update followed by a new log. Also, here is the afw.txt results. Thanks for your time!

Kim

ComboFix 08-10-04.07 - Owner 2008-10-04 23:04:53.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.93 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-04 08:22 . 2008-10-04 08:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-04 08:22 . 2008-10-04 08:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-02 18:35 . 2008-10-02 20:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-02 18:35 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-02 18:24 . 2008-10-02 18:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 22:23 . 2008-10-01 22:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 21:42 . 2008-10-01 21:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-10-01 18:18 . 2008-10-01 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-30 21:37 . 2008-09-30 21:37 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-30 16:48 . 2008-09-30 16:48 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-29 20:02 . 2008-09-29 20:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-29 20:02 . 2008-09-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-29 16:42 . 2008-09-29 15:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-29 15:43 . 2008-09-29 17:09 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-09-28 20:49 . 2008-09-28 20:49 <DIR> d-------- C:\WINDOWS\Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 12:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-01 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-01 21:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-01 03:09 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-09-21 00:43 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-09-14 00:22 --------- d-----w C:\Program Files\Microsoft Games
2008-09-02 14:56 --------- d-----w C:\Program Files\Palm
2008-08-18 20:27 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-18 20:26 --------- d-----w C:\Program Files\Coupons
2008-08-18 20:26 --------- d-----w C:\Program Files\BackWeb
2008-08-18 20:25 --------- d-----w C:\Program Files\interMute
2008-08-18 20:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-08-18 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 20:24 --------- d-----w C:\Program Files\Quicken
2008-08-18 20:22 --------- d-----w C:\Program Files\Atari
2008-08-18 20:21 --------- d-----w C:\Program Files\FoneSync
2008-08-13 21:37 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-13 21:37 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-13 21:37 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-13 21:37 --------- d-----w C:\Program Files\Symantec
2001-07-26 20:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 14:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 19:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 13:54 768 ----a-w C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-03_15.24.59.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-03 19:19:58 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-10-05 03:04:40 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

----a-w 81,920 2005-02-16 20:15:20 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
----a-w 86,960 2006-09-11 09:40:34 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

----a-w 221,184 2005-02-16 20:15:22 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 218,032 2006-09-11 09:40:32 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

----a-w 151,597 2004-01-21 03:22:21 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 16:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 59,040 2006-04-13 17:20:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 116,328 2007-06-05 02:05:44 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 218,240 2004-11-02 21:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 32,768 2004-01-09 09:34:10 C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe
----a-w 32,768 2004-01-08 22:34:10 C:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe

----a-w 49,152 2003-08-21 11:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 32,881 2004-01-21 01:53:45 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 53,248 2001-07-11 15:08:38 C:\Program Files\LexmarkX73\bak\AcBtnMgr_X73.exe

----a-w 53,248 2001-05-17 03:01:14 C:\Program Files\LexmarkX73\bak\ACMonitor_X73.exe

----a-w 28,739 2000-08-08 20:00:00 C:\Program Files\Microsoft Works\bak\WkDetect.exe

----a-w 725,046 2002-07-11 11:10:32 C:\Program Files\Microsoft Works\bak\WksSb.exe

----a-w 135,168 2003-10-29 15:17:30 C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe

----a-w 1,003,520 2006-05-30 01:19:42 C:\Program Files\Real\RealOne Player\bak\realplay.exe

----a-w 100,056 2006-08-25 04:50:55 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 763,392 2001-04-10 19:46:10 C:\Program Files\Toshiba\InstantWrite\bak\IWCTRL.EXE

----a-w 184,784 2003-10-09 21:31:52 C:\Program Files\WildTangent\Apps\bak\GameChannel.exe

----a-w 221,184 2003-11-04 00:50:40 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 483,328 2003-08-21 11:15:48 C:\WINDOWS\system32\bak\hphmon05.exe

----a-w 81,920 2002-10-16 23:57:10 C:\WINDOWS\system32\bak\ps2.exe

----a-w 36,864 2001-08-17 13:58:54 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-08 32768]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-12-05 3022848]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"PDUiP6210DMon"="C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe" [2005-05-06 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 116328]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-06-26 771440]
"PhoneTray"="C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe" [2007-08-15 839680]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"VTTimer"="VTTimer.exe" [N/A]
"LTMSG"="LTMSG.exe" [2003-07-14 C:\WINDOWS\ltmsg.exe]
"nwiz"="nwiz.exe" [2003-12-05 C:\WINDOWS\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
"aux"= sysaudio.sys

R1 Asapi;ASAPI;C:\WINDOWS\System32\drivers\Asapi.sys [2000-01-08 10240]
R1 CDRDRV;CDRDRV;C:\WINDOWS\System32\drivers\CDRDRV.sys [2001-04-11 45056]
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys [2000-09-07 9728]
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys [2001-04-11 186368]
R3 PhoneTrayDriver;PhoneTrayDriver;C:\WINDOWS\System32\Drivers\ptdrv.sys [2007-06-18 22272]
S1 vobfat;vobfat;C:\WINDOWS\System32\drivers\vobfat.sys [2000-08-25 7680]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-24 68922]
.
Contents of the 'Scheduled Tasks' folder

2008-10-03 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-06-26 04:27]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38ea8x40.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 23:08:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-04 23:13:58
ComboFix-quarantined-files.txt 2008-10-05 03:13:26
ComboFix2.txt 2008-10-04 01:42:24
ComboFix3.txt 2008-10-03 20:25:22
ComboFix4.txt 2008-10-03 19:49:43
ComboFix5.txt 2008-10-05 02:53:00

Pre-Run: 130,868,580,352 bytes free
Post-Run: 130,864,537,600 bytes free

167 --- E O F --- 2007-09-03 19:01:20




Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 10/04/2008
The current time is: 21:57:06.73


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 11:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

07/11/2001 11:08 AM 53,248 AcBtnMgr_X73.exe
05/16/2001 11:01 PM 53,248 ACMonitor_X73.exe
2 File(s) 106,496 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

08/08/2000 04:00 PM 28,739 WkDetect.exe
07/11/2002 07:10 AM 725,046 WksSb.exe
2 File(s) 753,785 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

10/29/2003 11:17 AM 135,168 shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/25/2006 12:50 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SMINST\BAK

11/03/2003 08:50 PM 221,184 RECGUARD.EXE
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 08:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/21/2003 07:15 AM 483,328 hphmon05.exe
10/16/2002 07:57 PM 81,920 ps2.exe
2 File(s) 565,248 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

04/13/2006 01:20 PM 59,040 ccApp.exe
1 File(s) 59,040 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 07:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\REAL\REALON~1\BAK

05/29/2006 09:19 PM 1,003,520 realplay.exe
1 File(s) 1,003,520 bytes

Directory of C:\PROGRA~1\TOSHIBA\INSTAN~1\BAK

04/10/2001 03:46 PM 763,392 IWCTRL.EXE
1 File(s) 763,392 bytes

Directory of C:\PROGRA~1\WILDTA~1\APPS\BAK

10/09/2003 05:31 PM 184,784 GameChannel.exe
1 File(s) 184,784 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

02/16/2005 04:15 PM 81,920 issch.exe
02/16/2005 04:15 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/20/2004 11:22 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 12:01 PM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 05:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

01/09/2004 05:34 AM 32,768 backupnotify.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

01/20/2004 09:53 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK

08/17/2001 09:58 AM 36,864 printray.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
53248 Jul 11 2001 "C:\Program Files\LexmarkX73\bak\AcBtnMgr_X73.exe"
53248 May 11 2001 "C:\Program Files\ACMonitor_X73.exe"
53248 May 16 2001 "C:\Program Files\LexmarkX73\bak\ACMonitor_X73.exe"
28739 Aug 8 2000 "C:\Program Files\Microsoft Works\bak\WkDetect.exe"
725046 Jul 11 2002 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
100056 Aug 25 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
221184 Nov 3 2003 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
116328 Jun 4 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
1003520 May 29 2006 "C:\Program Files\Real\RealOne Player\bak\realplay.exe"
763392 Apr 10 2001 "C:\Program Files\Toshiba\InstantWrite\bak\IWCTRL.EXE"
184784 Oct 9 2003 "C:\Program Files\WildTangent\Apps\bak\GameChannel.exe"
86960 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
221184 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
151597 Jan 20 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
32768 Jan 8 2004 "C:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe"
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
32881 Jan 20 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
36864 Aug 17 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x7328e0\printray.exe"
36864 Aug 17 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"


end of report

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 05 October 2008 - 06:07 PM

HI

Now you've run Combofix 6 times & it is showing a clean log ... only the first log will show me what Combofix removed ....

These are your Combofix logs :-

Completion time: 2008-10-04 23:13:58 <<<<<<<<<<<<<<<<<< this is the last one you ran ...
ComboFix-quarantined-files.txt 2008-10-05 03:13:26
ComboFix2.txt 2008-10-04 01:42:24
ComboFix3.txt 2008-10-03 20:25:22

ComboFix4.txt 2008-10-03 19:49:43 This is the earliest date ...

ComboFix5.txt 2008-10-05 02:53:00 This should be the log from the first run, but the date is wrong ( it looks like tomorrow)

The files should be in a folder called Combofix here :-

C:\ComboFix

Please post the ComboFix4.txt & ComboFix5.txt files ... note the numbers 4 & 5

-
You also appear to have had an AWF infection at some time in the past, this infection replaces legitimate files with it's own files & moves the legit file to a bak folder ...

All the files shown in the AWF scan are legitimate, but it looks as though you had someone help you remove the infected files, or an anti-malware program has removed them, the thing is the legit files in the bak folders do not look as though they were replaced in their correct location ...

For instance ...

these files which are in bak folders :-

28739 Aug 8 2000 "C:\Program Files\Microsoft Works\bak\WkDetect.exe"
725046 Jul 11 2002 "C:\Program Files\Microsoft Works\bak\WksSb.exe"

should be in the Microsoft Works folder, not the bak folder ... do you understand ?

Please look in the C:\Program Files\Microsoft Works folder & tell me if you see these files :-

WkDetect.exe
WksSb.exe

Some of the files which are shown in bak folders have been replaced by newer versions, so the older ones in the corresponding bak folders can be deleted, but where the only legit file you have is in a bak folder, it needs moving to it's correct location before the bak folder is deleted ... OK

So just check out those 2 files I mention above first, then we'll sort the rest out :thumbsup:

If you have any questions please ask :)

Are your searches still being re-directed ?

steam

Edited by steamwiz, 05 October 2008 - 06:10 PM.
to correct spelling

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 buttercup70

buttercup70
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 06 October 2008 - 02:16 PM

Hello and thanks again for your help. Yes my searches are still being redirected to unrelated web sites. I am having trouble locating the old combofix scan logs. Here is something that may or may not be helpful:

2002-09-11 07:02:32 45 C:\Qoobox\Quarantine\D\Autorun.inf.vir
2008-09-26 19:51:54 3,281 C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Cookies\owner@turn[1].txt.vir
2008-10-03 19:25:20 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-03 19:25:20 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-03 19:25:20 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-10-05 03:07:39 7,991 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-05 03:08:00 270 C:\Qoobox\Quarantine\catchme.log


ComboFix 08-10-03.01 - Owner 2008-10-03 15:20:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.160 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\winxpsp1_en_hom_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Cookies\owner@turn[1].txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.

2008-10-02 18:35 . 2008-10-02 20:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-02 18:35 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-02 18:24 . 2008-10-02 18:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 22:23 . 2008-10-01 22:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 21:42 . 2008-10-01 21:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-10-01 21:42 . 2008-10-01 21:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-10-01 18:18 . 2008-10-01 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-01 16:36 . 2008-10-01 20:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-01 16:36 . 2008-10-01 16:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-30 21:37 . 2008-09-30 21:37 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-30 16:48 . 2008-09-30 16:48 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-29 20:02 . 2008-09-29 20:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-29 20:02 . 2008-09-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-29 16:42 . 2008-09-29 15:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-29 15:43 . 2008-09-29 17:09 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-09-28 20:49 . 2008-09-28 20:49 <DIR> d-------- C:\WINDOWS\Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-01 21:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-01 03:09 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-09-28 00:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-21 00:43 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-09-14 00:22 --------- d-----w C:\Program Files\Microsoft Games
2008-09-02 14:56 --------- d-----w C:\Program Files\Palm
2008-08-18 20:27 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-18 20:26 --------- d-----w C:\Program Files\Coupons
2008-08-18 20:26 --------- d-----w C:\Program Files\BackWeb
2008-08-18 20:25 --------- d-----w C:\Program Files\interMute
2008-08-18 20:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-08-18 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 20:24 --------- d-----w C:\Program Files\Quicken
2008-08-18 20:22 --------- d-----w C:\Program Files\Atari
2008-08-18 20:21 --------- d-----w C:\Program Files\FoneSync
2008-08-13 21:37 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-13 21:37 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-13 21:37 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-13 21:37 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-13 21:37 --------- d-----w C:\Program Files\Symantec
2008-08-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2001-07-26 20:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 14:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 19:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 13:54 768 ----a-w C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

----a-w 81,920 2005-02-16 20:15:20 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
----a-w 86,960 2006-09-11 09:40:34 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

----a-w 221,184 2005-02-16 20:15:22 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 218,032 2006-09-11 09:40:32 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

----a-w 151,597 2004-01-21 03:22:21 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 16:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 59,040 2006-04-13 17:20:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 116,328 2007-06-05 02:05:44 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 218,240 2004-11-02 21:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 32,768 2004-01-09 09:34:10 C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe
----a-w 32,768 2004-01-08 22:34:10 C:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe

----a-w 49,152 2003-08-21 11:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 32,881 2004-01-21 01:53:45 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 53,248 2001-07-11 15:08:38 C:\Program Files\LexmarkX73\bak\AcBtnMgr_X73.exe

----a-w 53,248 2001-05-17 03:01:14 C:\Program Files\LexmarkX73\bak\ACMonitor_X73.exe

----a-w 28,739 2000-08-08 20:00:00 C:\Program Files\Microsoft Works\bak\WkDetect.exe

----a-w 725,046 2002-07-11 11:10:32 C:\Program Files\Microsoft Works\bak\WksSb.exe

----a-w 135,168 2003-10-29 15:17:30 C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe

----a-w 1,003,520 2006-05-30 01:19:42 C:\Program Files\Real\RealOne Player\bak\realplay.exe

----a-w 100,056 2006-08-25 04:50:55 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 763,392 2001-04-10 19:46:10 C:\Program Files\Toshiba\InstantWrite\bak\IWCTRL.EXE

----a-w 184,784 2003-10-09 21:31:52 C:\Program Files\WildTangent\Apps\bak\GameChannel.exe

----a-w 221,184 2003-11-04 00:50:40 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 483,328 2003-08-21 11:15:48 C:\WINDOWS\system32\bak\hphmon05.exe

----a-w 81,920 2002-10-16 23:57:10 C:\WINDOWS\system32\bak\ps2.exe

----a-w 36,864 2001-08-17 13:58:54 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-08 32768]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-12-05 3022848]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"PDUiP6210DMon"="C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe" [2005-05-06 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 116328]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-06-26 771440]
"PhoneTray"="C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe" [2007-08-15 839680]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"VTTimer"="VTTimer.exe" [N/A]
"LTMSG"="LTMSG.exe" [2003-07-14 C:\WINDOWS\ltmsg.exe]
"nwiz"="nwiz.exe" [2003-12-05 C:\WINDOWS\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-10-01 57344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
"aux"= sysaudio.sys

R1 Asapi;ASAPI;C:\WINDOWS\System32\drivers\Asapi.sys [2000-01-08 10240]
R1 CDRDRV;CDRDRV;C:\WINDOWS\System32\drivers\CDRDRV.sys [2001-04-11 45056]
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys [2000-09-07 9728]
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys [2001-04-11 186368]
R3 PhoneTrayDriver;PhoneTrayDriver;C:\WINDOWS\System32\Drivers\ptdrv.sys [2007-06-18 22272]
S1 vobfat;vobfat;C:\WINDOWS\System32\drivers\vobfat.sys [2000-08-25 7680]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-24 68922]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38ea8x40.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 15:23:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-10-03 15:26:50
ComboFix-quarantined-files.txt 2008-10-03 19:25:46

Pre-Run: 130,885,865,472 bytes free
Post-Run: 130,921,000,960 bytes free

170 --- E O F --- 2007-09-03 19:01:20


####################################################################################################################################


ComboFix 08-10-03.01 - Owner 2008-10-03 15:45:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.151 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.

2008-10-02 18:35 . 2008-10-02 20:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-10-02 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-02 18:35 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-02 18:35 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-02 18:24 . 2008-10-02 18:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 22:23 . 2008-10-01 22:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 21:42 . 2008-10-01 21:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-10-01 21:42 . 2008-10-01 21:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-01 18:18 . 2008-10-02 18:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-10-01 18:18 . 2008-10-01 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-01 16:36 . 2008-10-01 20:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-01 16:36 . 2008-10-01 16:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-30 21:37 . 2008-09-30 21:37 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-30 16:48 . 2008-09-30 16:48 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-29 20:02 . 2008-09-29 20:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-29 20:02 . 2008-09-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-29 16:42 . 2008-09-29 15:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-29 15:43 . 2008-09-29 17:09 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-09-28 20:49 . 2008-09-28 20:49 <DIR> d-------- C:\WINDOWS\Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 19:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-01 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-01 21:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-01 03:09 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-09-21 00:43 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-09-14 00:22 --------- d-----w C:\Program Files\Microsoft Games
2008-09-02 14:56 --------- d-----w C:\Program Files\Palm
2008-08-18 20:27 --------- d-----w C:\Program Files\Easy Internet signup
2008-08-18 20:26 --------- d-----w C:\Program Files\Coupons
2008-08-18 20:26 --------- d-----w C:\Program Files\BackWeb
2008-08-18 20:25 --------- d-----w C:\Program Files\interMute
2008-08-18 20:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-08-18 20:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 20:24 --------- d-----w C:\Program Files\Quicken
2008-08-18 20:22 --------- d-----w C:\Program Files\Atari
2008-08-18 20:21 --------- d-----w C:\Program Files\FoneSync
2008-08-13 21:37 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-13 21:37 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-13 21:37 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-13 21:37 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-13 21:37 --------- d-----w C:\Program Files\Symantec
2008-08-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2001-07-26 20:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 14:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 19:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 13:54 768 ----a-w C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2003-02-12 03:02:48 C:\hp\KBD\bak\KBD.EXE

----a-w 81,920 2005-02-16 20:15:20 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
----a-w 86,960 2006-09-11 09:40:34 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

----a-w 221,184 2005-02-16 20:15:22 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 218,032 2006-09-11 09:40:32 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

----a-w 151,597 2004-01-21 03:22:21 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 16:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 59,040 2006-04-13 17:20:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 116,328 2007-06-05 02:05:44 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 218,240 2004-11-02 21:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 32,768 2004-01-09 09:34:10 C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe
----a-w 32,768 2004-01-08 22:34:10 C:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe

----a-w 49,152 2003-08-21 11:23:08 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 32,881 2004-01-21 01:53:45 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 53,248 2001-07-11 15:08:38 C:\Program Files\LexmarkX73\bak\AcBtnMgr_X73.exe

----a-w 53,248 2001-05-17 03:01:14 C:\Program Files\LexmarkX73\bak\ACMonitor_X73.exe

----a-w 28,739 2000-08-08 20:00:00 C:\Program Files\Microsoft Works\bak\WkDetect.exe

----a-w 725,046 2002-07-11 11:10:32 C:\Program Files\Microsoft Works\bak\WksSb.exe

----a-w 135,168 2003-10-29 15:17:30 C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe

----a-w 1,003,520 2006-05-30 01:19:42 C:\Program Files\Real\RealOne Player\bak\realplay.exe

----a-w 100,056 2006-08-25 04:50:55 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 763,392 2001-04-10 19:46:10 C:\Program Files\Toshiba\InstantWrite\bak\IWCTRL.EXE

----a-w 184,784 2003-10-09 21:31:52 C:\Program Files\WildTangent\Apps\bak\GameChannel.exe

----a-w 221,184 2003-11-04 00:50:40 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 483,328 2003-08-21 11:15:48 C:\WINDOWS\system32\bak\hphmon05.exe

----a-w 81,920 2002-10-16 23:57:10 C:\WINDOWS\system32\bak\ps2.exe

----a-w 36,864 2001-08-17 13:58:54 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-08 32768]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-12-05 3022848]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"PDUiP6210DMon"="C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe" [2005-05-06 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 116328]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-06-26 771440]
"PhoneTray"="C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe" [2007-08-15 839680]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"VTTimer"="VTTimer.exe" [N/A]
"LTMSG"="LTMSG.exe" [2003-07-14 C:\WINDOWS\ltmsg.exe]
"nwiz"="nwiz.exe" [2003-12-05 C:\WINDOWS\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-10-01 57344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
"aux"= sysaudio.sys

R1 Asapi;ASAPI;C:\WINDOWS\System32\drivers\Asapi.sys [2000-01-08 10240]
R1 CDRDRV;CDRDRV;C:\WINDOWS\System32\drivers\CDRDRV.sys [2001-04-11 45056]
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys [2000-09-07 9728]
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys [2001-04-11 186368]
R3 PhoneTrayDriver;PhoneTrayDriver;C:\WINDOWS\System32\Drivers\ptdrv.sys [2007-06-18 22272]
S1 vobfat;vobfat;C:\WINDOWS\System32\drivers\vobfat.sys [2000-08-25 7680]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-24 68922]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\38ea8x40.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 15:47:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-10-03 15:49:42
ComboFix-quarantined-files.txt 2008-10-03 19:48:57
ComboFix2.txt 2008-10-03 19:26:51

Pre-Run: 130,959,114,240 bytes free
Post-Run: 130,946,998,272 bytes free

167 --- E O F --- 2007-09-03 19:01:20





As far as the Microsoft Works folders,

WkDetect.exe
WksSb.exe

they are both located in :

C:\Program Files\Microsoft Works\bak


Still in need of help, please advise!

Kim

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 October 2008 - 05:44 PM

HI Kim

As far as the Microsoft Works folders,

WkDetect.exe
WksSb.exe

they are both located in :

C:\Program Files\Microsoft Works\bak


Just to clarify .. yes, I know they are in the bak folder, but are they also in the Microsoft Works folder ?

Thanks for the Combofix logs, they were the ones I wanted to see :thumbsup: but they didn't show anything helpfull...

-

Print out these instructions for reference, since you will have to restart your computer during the fix.

1. Please download FixWareout from here:-

http://downloads.subratam.org/Fixwareout.exe

2. Save it to your desktop and run it.

3. Click Next > then Install > then make sure "Run fixit" is checked and click Finish.

4. The fix will begin, follow the prompts.

5. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load this is normal.

6. When your system reboots (BE patient), follow the prompts. Afterwards, HijackThis may launch.

Please Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again, restart if prompted.

Finally, please post the contents of :-

C:\fixwareout\report.txt
A new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 buttercup70

buttercup70
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 06 October 2008 - 07:23 PM

Hello again,

Still having the redirect issue.

Just to clarify .. yes, I know they are in the bak folder, but are they also in the Microsoft Works folder ?

No, they are not in the Microsoft Works folder, just the bak.

Here is the fixwareout report:

Username "Owner" - 10/06/2008 20:05:23 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe"
"LTMSG"="LTMSG.exe 7"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"AlcxMonitor"="ALCXMNTR.EXE"
"CanonMyPrinter"="C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe /logon"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"OpwareSE4"="\"C:\\Program Files\\ScanSoft\\OmniPageSE4.0\\OpwareSE4.exe\""
"PDUiP6210DMon"="C:\\Program Files\\Canon\\Memory Card Utility\\iP6210D\\PDUiP6210DMon.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"PhoneTray"="C:\\Program Files\\Traysoft\\PhoneTray\\PhoneTray.exe"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"=""
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



And the new hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:40 PM, on 10/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219961288671
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC36EE5F-7A0F-4606-A7B3-4B02E2B03AB4}: NameServer = 207.251.194.54 207.251.194.55
O20 - AppInit_DLLs:
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9488 bytes


Thanks again for your time!

Kim

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 October 2008 - 05:44 PM

Hi

Fixwareout was clean ...

Alexa is adware, if you use the Alexa toolbar you could be re-directed to monstermarketplace.com etc,
The 2 O9 entries I have included below are Alexa related ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O20 - AppInit_DLLs:


We'll put those files in the bak folders back where they belong later (they're not causing your problem)

Also you need to update your java, but that's not causing the redirect either ... we'll do that later as well.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 buttercup70

buttercup70
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 07 October 2008 - 07:41 PM

Hi again Steam-

OK I removed those lines from hijackthis and restarted, still having the redirect after a new google search, damn monstermarketplace.com! What's my next move? Here is the log from hijackthis if you need it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:50 PM, on 10/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\mshearts.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219961288671
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC36EE5F-7A0F-4606-A7B3-4B02E2B03AB4}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9034 bytes


Thanks again - Kim

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 October 2008 - 03:28 PM

Hi Kim

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

-
After you've run Ccleaner ... click tools > uninstall ... then click save to text file

post the list here please ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 buttercup70

buttercup70
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 08 October 2008 - 05:15 PM

Hi Steam -

Is this what you want?

Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0
ArcSoft PhotoStudio 5.5
Arts & Letters Clip Art Viewer
Arts & Letters Express Test Drive
Arts & Letters Font Manager
Arts & Letters Jurassic ART
Barbie Beach Vacation
Barbie® Beauty Styler™ CD-ROM
Barbie® Digital Makeover™
Barbie™ Mermaid Adventure™ CD-ROM
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon iP6210D
Canon iP6210D Memory Card Utility
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator 3.0
Canon MP160
Canon MP160 User Registration
Canon My Printer
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Finding Nemo: Nemo's Underwater World of Fun
Google Earth
HijackThis 2.0.2
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Image Zone Plus 3.5
HP Instant Support
HP Organize
HP Photo & Imaging 3.5 - HP Devices
HP Product Detection
HP PSC & OfficeJet 3.0
HP Software Update
I Can Be A Dinosaur Finder
InstantCD/DVD
IntelliMover Data Transfer Demo
Internet Explorer Q832894
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
KBD
Kodak EasyShare software
Little Mermaid II Return to the Sea
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Mavis Beacon Teaches Typing 8.0.1
Memories Disc Creator 2.0
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft Combat Flight Simulator 2
Microsoft Encarta Encyclopedia Standard 2001
Microsoft Fighter Ace II
Microsoft Links 2001
Microsoft Money 2001
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft Picture It! Publishing 2001
Microsoft Plus! Digital Media Edition
Microsoft Streets and Trips 2001
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Multimedia Card Reader
MUSICMATCH® Jukebox
Norton AntiVirus (Symantec Corporation)
NVIDIA Display Driver
NVIDIA Ethernet Driver
NVIDIA GART Driver
Outlook Express Update Q330994
PC-Doctor for Windows
PhoneTray Dialup
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from WildGames (remove only)
Polar Golfer from WildGames (remove only)
PowerDVD
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealOne Player
RecordNow!
ScanSoft OmniPage SE 4.0
Shockwave
SideWinder Precision 2
Sonic Update Manager
Toolkit View(HP)
Uninstall Dual Mode Camera
Wal-Mart Music Downloads Store
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB821431
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815485
Windows XP Hotfix (SP2) Q817357


Thanks -

Kim

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 09 October 2008 - 12:07 PM

Hi Kim

Yes that's what I wanted to see, I was hoping to spot some adware which may be causing the redirect, but everything there looks OK.

Let's update your java ...

Go to add/remove programs and uninstall any earlier versions ... in your case :-

Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2

uninstall both of them

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 7' and press the 'Download' button.


Running an out-of-date version of java is an infection risk, as they can be exploited by malware.

-
Then I want you to do some more scans for me & post the logs ...

What programs have you allready run ? so that we don't go over the same ground twice ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

don't forget to post the log

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 buttercup70

buttercup70
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 10 October 2008 - 08:55 AM

Hi Steam-

OK, new JAVA is installed, old ones removed. I downloaded and ran superantispyware. The log doesn't look like much, but here it is. In addition to the programs you have had me run so far, I have downloaded and ran spybot s&d and also ad-aware. After I ran them, I removed the programs from my computer. I have kept everything on that you have had me run.

Thanks again-

Kim

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/09/2008 at 09:21 PM

Application Version : 4.21.1004

Core Rules Database Version : 3593
Trace Rules Database Version: 1580

Scan type : Complete Scan
Total Scan Time : 01:00:06

Memory items scanned : 454
Memory threats detected : 0
Registry items scanned : 6542
Registry threats detected : 0
File items scanned : 86112
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@chitika[1].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.sun[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bostoncommonpress.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cookscountry[2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gadget[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users