Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker


  • This topic is locked This topic is locked
7 replies to this topic

#1 Henryroo

Henryroo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 05 January 2009 - 09:13 PM

Similar to many other problems that I have seen on this forums, I seem to have some malware that is hijacking my google searches. I believe this was attained a week or so ago, when we downloaded IE 7, slightly before the security patch.

One of the links that google seems to send me to more than others is something along the lines of "security-antivirus.com", which is obviousley a scam of some sort.

Here is my DDS.txt file:


DDS (Version 1.1.0) - NTFSx86
Run by Henry at 20:47:16.53 on 2009-01-05
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.70 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Henry Lastname.LASTNAMEKIDS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.juno.com/s/sp?r=al&cf=sp&mem=mailchoice&key=e2e060f7004994902846a67c0fd84245&ts=41463164&A=357538320000019&B=1079510400000&C=1055055600000&D=1078905600000&I=7.JQ3&N=PLHS&O=A
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Advanced Searchbar: {43f02779-6d88-4958-8ad3-83c12d86adc7} - c:\program files\advanced searchbar\toolbar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Advanced Searchbar: {43f02779-6d88-4958-8ad3-83c12d86adc7} - c:\program files\advanced searchbar\toolbar.dll
TB: JunoBar: {f5735c15-1fb2-41fe-ba12-242757e69dde} - c:\program files\juno\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [uoltray] c:\program files\juno\exec.exe regrun
uRun: [Juno_uoltray] c:\program files\juno\exec.exe regrun
uRun: [Aim6]
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Display All Images with Full Quality - c:\program files\juno\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\juno\qsacc\appres.dll/227
IE: {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - c:\documents and settings\all users\desktop\Glophone.lnk
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43F02779-6D88-4958-8AD3-83C12D86ADC7} - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - c:\program files\advanced searchbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: earthlink.net\www
Trusted Zone: yahoo.com\launch
Trusted Zone: yahoo.com\music
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\henryg~1.gro\applic~1\mozilla\firefox\profiles\zchnzueu.default\
FF - prefs.js: browser.startup.homepage - hxxp://myembarq.com/index.php
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~2\20090102.006\naveng.sys [2009-1-2 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~2\20090102.006\navex15.sys [2009-1-2 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 EAPPkt;LevelOne EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-3-2 38144]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-27 24652]

=============== Created Last 30 ================

2009-01-05 15:34 <DIR> --d----- c:\program files\Trend Micro !--->external hard drive<---!
2009-01-01 10:59 35,262 a------- c:\windows\Eric.acl
2008-12-29 14:15 35,262 a------- c:\windows\Daniel.acl
2008-12-21 12:33 410,976 a------- c:\windows\system32\deploytk.dll
2008-12-20 14:28 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-20 14:28 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-20 14:28 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2008-12-20 14:28 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2008-12-20 14:28 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-20 14:28 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-20 14:28 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 14:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-20 14:28 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-12-18 21:15 716,800 a------- c:\windows\system32\SysInternalsBluescreen.scr !--->screensaver<---!
2008-12-18 08:04 <DIR> --d----- c:\windows\system32\scripting
2008-12-18 08:04 <DIR> --d----- c:\windows\l2schemas
2008-12-18 08:04 <DIR> --d----- c:\windows\system32\en
2008-12-18 07:57 <DIR> --d----- c:\windows\network diagnostic

==================== Find3M ====================

2009-01-05 20:36 31 a------- c:\documents and settings\henry
2009-01-05 17:12 389,120 a------- c:\windows\system32\CF24914.exe
2009-01-05 17:12 389,120 a------- c:\windows\system32\CF24907.exe
2008-12-18 08:08 78,991 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-15 20:00 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-06-20 20:50 722,176 ac------ c:\documents and settings\henry lastname.lastnamekids\gotomypc_428.exe
2005-07-12 09:18 483,401 ac------ c:\documents and settings\henry lastname.lastnamekids\gotomypc.exe

============= FINISH: 20:48:48.67 ===============

Any help would be greatly appreciated.

Thanks much,

Henry

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:52 PM

Posted 14 January 2009 - 12:25 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:52 PM

Posted 19 January 2009 - 03:39 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:52 PM

Posted 20 January 2009 - 11:58 AM

Reopened.

Download and Run DDS
DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

With Regards,
The Panda

Edited by PropagandaPanda, 20 January 2009 - 11:59 AM.


#5 Henryroo

Henryroo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 20 January 2009 - 06:04 PM

Hello again, and thanks for helping me with this! As I said in my message, microsoft malicous software remover seems to have taken care of the problems, but I don't know if there's still something hidden within my computer. Anyways, here's my DDS.txt file--And just to let you know, I'm running XP



DDS (Ver_09-01-07.01) - NTFSx86
Run by Henry Grover at 17:59:37.03 on 2009-01-20
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.378 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Henry Grover.GROVERKIDS\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.juno.com/s/sp?r=al&cf=sp&mem=mailchoice&key=e2e060f7004994902846a67c0fd84245&ts=41463164&A=357538320000019&B=1079510400000&C=1055055600000&D=1078905600000&I=7.JQ3&N=PLHS&O=A
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: JunoBar: {f5735c15-1fb2-41fe-ba12-242757e69dde} - c:\program files\juno\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Advanced Searchbar: {43f02779-6d88-4958-8ad3-83c12d86adc7} - c:\program files\advanced searchbar\toolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [uoltray] c:\program files\juno\exec.exe regrun
uRun: [Juno_uoltray] c:\program files\juno\exec.exe regrun
uRun: [Aim6]
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Display All Images with Full Quality - c:\program files\juno\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\juno\qsacc\appres.dll/227
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: earthlink.net\www
Trusted Zone: yahoo.com\launch
Trusted Zone: yahoo.com\music
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\henryg~1.gro\applic~1\mozilla\firefox\profiles\zchnzueu.default\
FF - prefs.js: browser.startup.homepage - hxxp://myembarq.com/index.php
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~2\20090116.004\naveng.sys [2009-1-16 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~2\20090116.004\navex15.sys [2009-1-16 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 EAPPkt;LevelOne EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-3-2 38144]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-27 24652]

=============== Created Last 30 ================

2009-01-06 03:00 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-05 22:30 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-05 22:30 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-05 15:34 <DIR> --d----- c:\program files\Trend Micro
2009-01-01 10:59 35,262 a------- c:\windows\Eric.acl
2008-12-29 14:15 35,262 a------- c:\windows\Daniel.acl

==================== Find3M ====================


2009-01-05 17:12 389,120 a------- c:\windows\system32\CF24914.exe
2009-01-05 17:12 389,120 a------- c:\windows\system32\CF24907.exe
2008-12-21 12:33 410,976 a------- c:\windows\system32\deploytk.dll
2008-12-18 08:08 78,991 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-06-20 20:50 722,176 ac------ c:\documents and settings\henry grover.groverkids\gotomypc_428.exe
2005-07-12 09:18 483,401 ac------ c:\documents and settings\henry grover.groverkids\gotomypc.exe

============= FINISH: 18:00:43.14 ===============

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:52 PM

Posted 20 January 2009 - 06:23 PM

Hello.

Looks like you are clean.

Let's update your Java and you should be good to go.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#7 Henryroo

Henryroo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 20 January 2009 - 07:09 PM

Alright, thanks! :thumbsup:

It's a relief to know that Microsoft's removal tool is doing it's job (albeit a little later than it should have)

I did everything that you suggested in your previous post, and I don't have any questions.

Thanks for all the help,
Henry

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:52 PM

Posted 21 January 2009 - 08:13 AM

Welcome :thumbsup: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users