Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recently Hijacked


  • Please log in to reply
12 replies to this topic

#1 origin7

origin7

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 December 2008 - 01:22 PM

Hi, I was recently Hijacked but think I fixed the problem and just wanted to post this log and see if it looked alright or still had something suspicious about it. I used Advanced System Care Pro to make this log, and it's compatible with Hijackthis. Any help would be much appreciated! I just want my computer to run fast and don't want anything unnecessary floating around. I have a lot of software on my computer such as autodesk 3d max and a lot of adobe software so some things are essential but I want to get rid of the bad stuff. Thanks


Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 12:13:15 PM, on 12/24/2008
Platform: Windows XP (WinNT 5.1)
MSIE: Internet Explorer v7.0 (7.0.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\IObit\Advanced SystemCare 3\Awc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O3 - Toolbar: - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe_ID0E3DHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_07) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown - %systemRoot%\System32\svchost.exe

Edited by origin7, 24 December 2008 - 01:25 PM.


BC AdBot (Login to Remove)

 


#2 origin7

origin7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 26 December 2008 - 02:47 PM

any help?

Edited by origin7, 26 December 2008 - 02:48 PM.


#3 origin7

origin7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 29 December 2008 - 12:35 PM

For some reason I keep getting lookandiscover as my homepage. I have selected it using Hijackthis and clicked fix problem but it keep returning and I need help getting rid of it! It fixed my firefox homepage but when I open internet explorer it is still hijacked and I want to get rid of this problem. If someone could please help me I would really appreciate it! Here is my most recent log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:39 AM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookanddiscover.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe_ID0E3DHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: winsched.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 7233 bytes

#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 05 January 2009 - 01:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.
Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#5 origin7

origin7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 05 January 2009 - 02:46 PM

Thank you for responding. I have been having this hijack problem for a while now and I have tried using Hijack this and malwarebytes along with advanced system care pro by iobit and I still cannot remove this www.lookandiscover.com or www.lookingnation.com homepage hijacks! I am using Firefox and I have Explorer too and both of the pages are getting hijacked. Everytime I restart they have taken over again! I downloaded the DDS and Here is the log. Let me know if I need to send the other one. Hope you can get this cleared up for me! Thanks a again!



DDS (Version 1.1.0) - NTFSx86
Run by Ryan Stalsby at 13:41:08.43 on Fri 01/05/2007
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2631 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ryan Stalsby\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.lookanddiscover.com/
uInternet Settings,ProxyOverride = *.local
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe_ID0E3DHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\winsched.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryanst~1\applic~1\mozilla\firefox\profiles\vekplafn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.lookanddiscover.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-9 65536]
R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-9-26 2748200]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-9-26 15656]

=============== Created Last 30 ================

2007-01-04 22:40 <DIR> --d----- c:\docume~1\ryanst~1\applic~1\FrostWire
2007-01-04 22:39 <DIR> --d----- c:\program files\FrostWire
2007-01-04 22:39 <DIR> --d----- c:\program files\AskBarDis

==================== Find3M ====================

2006-12-31 05:56 9,728 a------- c:\windows\system32\gpkrsrc.dll
2006-12-29 19:21 64,352 -------- c:\windows\system32\drivers\ativmc20.cod
2006-12-29 19:02 67,866 -------- c:\windows\system32\drivers\netwlan5.img
2006-12-28 23:31 19,569 a------- c:\windows\002988_.tmp
2006-12-04 15:21 414,720 a------- c:\windows\system32\msscp.dll
2006-11-29 12:06 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2006-11-22 05:20 348,160 a------- c:\windows\system32\WkExt32.dll
2006-11-22 05:20 159,744 a------- c:\windows\system32\WkWin32.dll
2006-11-22 05:20 72,704 a------- c:\windows\system32\drivers\WibuKey.sys
2006-11-17 06:00 516,096 a------- c:\windows\system32\WibuXpm4J32.dll
2006-11-09 05:20 16,384 a------- c:\windows\system32\drivers\Wibukey2.sys
2006-11-02 05:20 479,232 a------- c:\windows\system32\wibuKJni.dll
2006-10-31 16:14 19,558 a------- c:\windows\hpoins01.dat
2006-10-30 02:33 556,296 a------- c:\windows\system32\icardagt.exe
2006-10-30 02:33 83,968 a------- c:\windows\system32\infocardapi.dll
2006-10-30 02:33 9,480 a------- c:\windows\system32\icardres.dll
2006-10-20 20:30 1,980,704 a------- c:\windows\system32\milcore.dll
2006-10-20 20:30 769,312 a------- c:\windows\system32\PresentationNative_v0300.dll
2006-10-20 20:30 478,496 a------- c:\windows\system32\evr.dll
2006-10-20 20:29 344,352 a------- c:\windows\system32\PresentationHost.exe
2006-10-20 20:29 159,008 a------- c:\windows\system32\UIAutomationCore.dll
2006-10-20 20:29 104,224 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2006-10-20 20:29 69,408 a------- c:\windows\system32\dxva2.dll
2006-10-20 20:29 20,768 a------- c:\windows\system32\PresentationHostProxy.dll
2006-10-18 20:58 8,704 a------- c:\windows\system32\wdfmgr.exe
2006-10-18 20:58 8,704 a------- c:\windows\system32\uwdf.exe
2006-10-18 19:00 249,856 a------- c:\windows\system32\drmupgds.exe
2006-10-18 19:00 17,408 -------- c:\windows\system32\wpdshextautoplay.exe
2006-10-14 19:22 1,698,048 -------- c:\windows\system32\XpsSvcs.dll
2006-10-14 19:21 580,352 -------- c:\windows\system32\XPSSHHDR.dll
2006-10-14 15:43 124,416 -------- c:\windows\system32\prntvpt.dll
2006-10-09 15:15 1,669,632 a------- c:\windows\system32\msvidctl.dll
2006-10-09 15:12 456,192 a------- c:\windows\system32\encdec.dll
2006-10-09 15:12 291,840 a------- c:\windows\system32\sbe.dll
2006-10-09 15:12 235,008 -------- c:\windows\system32\psisdecd.dll
2008-09-26 10:59 8 ---shr-- c:\windows\system32\C2ACA0CA7F.sys
2008-09-29 09:27 848 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:41:21.32 ===============

Edited by origin7, 05 January 2009 - 02:48 PM.


#6 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 05 January 2009 - 04:00 PM

Yes, please either attach or copy/paste the other log produced by DDS. It is named Attach.txt.
I also would like you to update MBAM and run another scan. Please post that log as well.

By the way, what anti-virus/anti-spyware programs were you using when this problem began?


Thanks :thumbsup:

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#7 origin7

origin7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 05 January 2009 - 05:28 PM

Ok, I Here is the attach.txt file and I updated MBAM and ran another scan resulting in 2 Hijack.Homepage! (Listed in Bold below )

I was using Webroot Spysweeper when the problem first developed but I uninstalled it because I thought it may have been conflicting with my AdvSystemCarePro Software I was using along with it. I have tried Ad-Aware as well and Hijack This.



Malwarebytes' Anti-Malware 1.32
Database version: 1619
Windows 5.1.2600 Service Pack 3

1/5/2007 4:25:42 PM
mbam-log-2007-01-05 (16-25-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190109
Time elapsed: 33 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page\Start Page (Hijack.Homepage) -> Bad: (http://www.lookanddiscover.com/) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://www.lookanddiscover.com/) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by origin7, 05 January 2009 - 05:31 PM.


#8 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 05 January 2009 - 07:13 PM

Spysweeper was not protecting you very well -- even if you were using the version with the anti-virus component. I suggest that you install one of the free anti-virus programs as soon as possible. Avast or Avira would be a good choice.

There's a file in your Startup that I'd like to check. Please search for winsched.exe.
Most likely you will find it here: C:\program files\Windows TaskAd\WinSched.exe

Please submit a sample of the file:
to Virus Total --
http://www.virustotal.com/en/indexf.html

At the top of the page you will see:
Select file>Browse>Send
Just follow the prompts.
The submission will then be tested against many different AV vendors’ scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.
Thanks!

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#9 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 05 January 2009 - 08:53 PM

I received your Private Message, but it helps those using these forums for research if we work in the forum.

Pease remove BitTornado 0.3.17, BitTorrent, and any P2P software. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
There is a list here: http://spywarehammer.com/simplemachinesfor...php?topic=110.0

After removing those...
Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Place a checkmark next to the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookanddiscover.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - Global Startup: winsched.exe

Close all other windows and click "Fix Checked". Close HijackThis.
Reboot normally.

Please post a fresh HijackThis log and let me know how things are running. We will have more to do.


Edited by Bugbatter, 05 January 2009 - 08:54 PM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#10 origin7

origin7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 05 January 2009 - 10:13 PM

I found winsched in C:\Documents and Settings\All Users\Start Menu\Programs\Startup

I submitted the winsched.exe file to virustotal and this is the analysis:


File winsched.exe received on 01.06.2009 04:10:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/38 (21.06%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.06 Trojan.Win32.StartPage!IK
AhnLab- V3 2009.1.5.3 2009.01.05 -
AntiVir 7.9.0.45 2009.01.05 -
Authentium 5.1.0.4 2009.01.05 -
Avast 4.8.1281.0 2009.01.05 -
AVG 8.0.0.199 2009.01.05 -
BitDefender 7.2 2009.01.06 -
CAT-QuickHeal 10.00 2009.01.05 -
ClamAV 0.94.1 2009.01.06 -
Comodo 878 2009.01.05 -
DrWeb 4.44.0.09170 2009.01.06 -
eTrust-Vet 31.6.6289 2009.01.02 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.05 -
F-Secure 8.0.14470.0 2009.01.06 Trojan.Win32.StartPage.dbm
Fortinet 3.117.0.0 2009.01.06 W32/StartPage.DBM!tr
GData 19 2009.01.06 -
Ikarus T3.1.1.45.0 2009.01.06 Trojan.Win32.StartPage
K7AntiVirus 7.10.576 2009.01.05 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.01.06 Trojan.Win32.StartPage.dbm
McAfee 5486 2009.01.05 -
McAfee+Artemis 5486 2009.01.05 -
Microsoft 1.4205 2009.01.06 -
NOD32 3741 2009.01.05 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.05 -
PCTools 4.4.2.0 2009.01.05 -
Prevx1 V2 2009.01.06 Malicious Software
Rising 21.11.02.00 2009.01.05 -
SecureWeb-Gateway 6.7.6 2009.01.05 -
Sophos 4.37.0 2009.01.05 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.06 -
TheHacker 6.3.1.4.205 2009.01.05 Trojan/Downloader.AutoIt.ib
TrendMicro 8.700.0.1004 2009.01.05 -
VBA32 3.12.8.10 2009.01.05 -
ViRobot 2009.1.5.1544 2009.01.05 -
VirusBuster 4.5.11.0 2009.01.05 -








Additional information
File size: 274418 bytes
MD5...: 97f45b5d016287fdc34d89349820bbf7
SHA1..: f930baa91aab22d20c735a0ee255ba32c7d5a995
SHA256: ddac59e564234314387b325ff15af571add620cfb858d952514334479ecc3fa6
SHA512: de808f4f5261db985a364b535b0f3e2a747d467d834547072886da30a71caa5b
de8f6ba643829ede40970228b5f605e6b434bad37950827b8808ae4a57f88e80
ssdeep: 6144:PknN4CVUIm6uk06ZLYgvBA+8xmrxgmA+3cclptVopAWm8mZ1:8nNhuBoY8S
orxgmA+nlvVlcmZ1
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x499ca0
timedatestamp.....: 0x4850e379 (Thu Jun 12 08:51:05 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x61000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x62000 0x38000 0x38000 7.93 429538adf33595d4ba93cc74210654de
.rsrc 0x9a000 0x8000 0x7600 5.86 31a9f2914a1f6eaa22e4f831425a230c

( 13 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: ImageList_Create
> comdlg32.dll: GetSaveFileNameW
> GDI32.dll: LineTo
> MPR.dll: WNetUseConnectionW
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: DragFinish
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueW
> WINMM.dll: timeGetTime
> WSOCK32.dll: -

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=97f45b5d016287fdc34d89349820bbf7' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=97f45b5d016287fdc34d89349820bbf7</a>
packers (F-Prot): UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=96CB1217F2304C172FB70496E7FA60000BD15AE3' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=96CB1217F2304C172FB70496E7FA60000BD15AE3</a>

Edited by origin7, 05 January 2009 - 10:26 PM.


#11 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 05 January 2009 - 10:35 PM

Excellent! Good work!

While you are in Safemode after the HijackThis fixing, delete that winsched.exe critter!
I'll check back here after your updated log is posted.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#12 origin7

origin7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 05 January 2009 - 10:57 PM

Here's my most recent Hijack this file! Things are moving a lot smoother now! but also I wanted to ask you what anti-virus you use and if you use multiple ones? Right now I am using the Avast you recommended as well as A-squared, and I have AdvSystemCarePro. Would there be a problem using all 3 of them? Not at the same time of course but using them individually to scan and keep my computer clean?




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:40 PM, on 1/5/2007
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cgtalk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe_ID0E3DHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 7810 bytes

Edited by origin7, 06 January 2009 - 12:03 AM.


#13 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 06 January 2009 - 01:14 PM

What you are using is fine. I'm not too familiar with AdvSystemCarePro. For maintenance I use CCleaner and some components of Avanquest System Suite Professional.
My security is ONE antivirus: Avast, along with Malwarebutes' Anti-Malware (Paid Version with realtime scanning), WinPatrol (Paid Version), Spywareblaster, ZoneAlarm, and for a hardware "firewall" I use a Linksys router. I also use MailWasher by Firetrust.
I configured Avast to meet my needs by using only the Network Shield and Standard Shield. You can try all the features and see what works best on your system.
One thing I do not recommend is registry cleaners, or the registry cleaning components of general maintenance utilities.

I'll include some general tips below that I post for everyone, so you can see what might apply to you.
It appears as if you are in good shape and that the malware is gone.

Run Disk Cleanup in each user's profile.

1. Open Disk Cleanup by clicking the Start button Picture of the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.
2. In the Disk Cleanup Options dialog box, choose whether you want to clean up your own files only or all of the files on the computer. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.
4. Click the Disk Cleanup tab.
* Please make sure only the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
5. When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.


We do need to update your Java, though. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 1.6.0.
  • Scroll down to where it says " Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • NOTE: As always during installations, beware of any pre-checked option to install MSN/Windows Live Toolbar.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java along with their older updates.
  • Do NOT delete C:\Program Files\JavaVM =this folder, if found!
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
  • NOTE: If you are offered to install a toolbar and you do not want it, Uncheck that option when installing Java.
After installing, you can test here to see if the update has installed:
http://www.java.com/en/download/installed.jsp

After something like this it is a good idea to purge the Restore Points and start fresh.
If everything is running well, let's purge System Restore.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig.
Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

You may have already taken some of the following steps, and depending on your current security, you may not need to implement all of these:

1. Visit Windows Update
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

2. You might consider installing SpywareBlaster
Tutorial HERE
Periodically check for updates.

3. Please use a firewall and realtime anti-virus. Keep your antivirus software and firewall software up to date.
Zone Labs has a free version of their firewall for home users: Zone Alarm Free Version or Alternate Link

4. You might consider installing Mozilla Firefox

5. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

6. Before using or purchasing any Spyware/Malware protection/removal program, always check these links: Rogue/Suspect Spyware List
Rogue Applications List
It will save you a lot of grief, as well as money if you are thinking of purchasing.
* If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above links work, check HERE for an independent comparison of several anti-spyware programs.

7. If you have not already done so, you might want to install CCleaner and run it in each user's profile.
** Uncheck the option to install the Yahoo toolbar.

8. Here are some helpful articles:
“How did I get infected?”
HERE

“I'm not pulling your leg, honest”
by Sandi Hardmeier
HERE

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users