Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Hijacking: Search Results Wrong


  • This topic is locked This topic is locked
24 replies to this topic

#1 moozak

moozak

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 10 January 2009 - 06:29 AM

hi,

my name is moozak and i've been working on this problem for a few days. have downloaded and scanned with many different tools via prior posts in another thread... but still have the same problem (suspected hijacking of some sort) but all scan results are so far clean. the complete story can be referenced here:

http://www.bleepingcomputer.com/forums/t/192908/web-browser-results-are-not-right/

...but the short story is this: using google or yahoo, the links for my web search results are not right. all my antivirus/adware programs (some purchased some free) says i'm ok... but results still the same. i have spent several days running other scans via instructions from the thread above... still no luck.

so... i was instructed to download and run DDS and post results here. since i'm new to this i'm not exactly certain what to post, as there are 2 files saved from the DDS scan. i will post both, if i'm not supposed to i apologize.

i will check back again soon... and thank you, in advance, for any help i receive! this is an annoying little bugger, whatever it is!


>>>>> first the results of the DDS.txt file:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 5:57:22.28 on Sat 01/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.263 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - MoneySide
uRun: [WebCamRT.exe]
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRunOnce: [FlashPlayerUpdate] c:\winnt\system32\macromed\flash\FlashUtil9d.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\redcat~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [2008-10-5 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2004-3-21 392824]
R3 Anydlc;Anydlc;c:\winnt\system32\drivers\anydlc.sys [2002-7-12 36448]
R3 Appn;Appn;c:\winnt\system32\drivers\appn.sys [2002-7-12 1263040]
R3 AppnBase;AppnBase;c:\winnt\system32\drivers\appnbase.sys [2002-7-12 182400]
R3 KLOGNT;KLOGNT;c:\winnt\system32\drivers\klognt.sys [2002-7-12 22504]
R3 pdlnacom;PDLC Adapter -- COM;c:\winnt\system32\drivers\pdlnacom.sys [2002-7-12 74080]
R3 pdlnafac;PDLC Adapter Factory;c:\winnt\system32\drivers\pdlnafac.sys [2002-7-12 35120]
R3 pdlnampa;PDLC Adapter -- MultiProtocol Adapter;c:\winnt\system32\drivers\pdlnampa.sys [2002-7-12 88800]
R3 pdlnatcm;Twinax Adapter Common;c:\winnt\system32\drivers\pdlnatcm.sys [2002-7-12 19456]
R3 pdlnatdl;Twinax Adapter;c:\winnt\system32\drivers\pdlnatdl.sys [2002-7-12 16896]
R3 pdlnatnm;Twinax Adapter Namakan;c:\winnt\system32\drivers\pdlnatnm.sys [2002-7-12 64512]
R3 pdlnatsn;Twinax Adapter Snow;c:\winnt\system32\drivers\pdlnatsn.sys [2002-7-12 68608]
R3 pdlnawac;PDLC Adapter -- WACType;c:\winnt\system32\drivers\pdlnawac.sys [2002-7-12 69296]
R3 pdlncbas;PDLC CxM Classes;c:\winnt\system32\drivers\pdlncbas.sys [2002-7-12 5712]
R3 pdlncfwk;PDLC Connection Manager;c:\winnt\system32\drivers\pdlncfwk.sys [2002-7-12 159616]
R3 pdlndint;PDLC DLC Classes;c:\winnt\system32\drivers\pdlndint.sys [2002-7-12 11264]
R3 pdlndlpb;PDLC LAPB;c:\winnt\system32\drivers\pdlndlpb.sys [2002-7-12 70144]
R3 pdlndoem;PDLC OEM Interface;c:\winnt\system32\drivers\pdlndoem.sys [2002-7-12 17920]
R3 pdlndqll;PDLC QLLC;c:\winnt\system32\drivers\pdlndqll.sys [2002-7-12 52224]
R3 pdlndsdl;PDLC SDLC;c:\winnt\system32\drivers\pdlndsdl.sys [2002-7-12 66048]
R3 pdlndtdl;Twinax DLC;c:\winnt\system32\drivers\pdlndtdl.sys [2002-7-12 50688]
R3 pdlnebas;PDLC Environment;c:\winnt\system32\drivers\pdlnebas.sys [2002-7-12 7520]
R3 pdlnecfg;PDLC Configuration;c:\winnt\system32\drivers\pdlnecfg.sys [2002-7-12 49312]
R3 pdlnemap;PDLC Mapper;c:\winnt\system32\drivers\pdlnemap.sys [2002-7-12 66432]
R3 pdlnemsg;PDLC Message Driver;c:\winnt\system32\drivers\pdlnemsg.sys [2002-7-12 11648]
R3 pdlnepkt;PDLC Buffer Manager;c:\winnt\system32\drivers\pdlnepkt.sys [2002-7-12 18704]
R3 pdlnshay;PDLC Hayes At signalling;c:\winnt\system32\drivers\pdlnshay.sys [2002-7-12 59008]
R3 pdlnslea;PDLC SDLC Leased;c:\winnt\system32\drivers\pdlnslea.sys [2002-7-12 21408]
R3 pdlnsv25;PDLC V25bis signalling;c:\winnt\system32\drivers\pdlnsv25.sys [2002-7-12 53920]
R3 pdlnsx25;PDLC X.25;c:\winnt\system32\drivers\pdlnsx25.sys [2002-7-12 58096]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AppnApi;AppnApi;c:\winnt\system32\drivers\appnapi.sys [2002-7-12 116640]
R4 NsTrcNT;NsTrcNT;c:\winnt\system32\drivers\nstrcnt.sys [2002-7-12 10816]
R4 pcscoax;3270 Coax Driver;c:\winnt\system32\drivers\pcscoax.sys [2002-7-12 30208]
R4 pdlnctdl;Twinax CUT Adapter;c:\winnt\system32\drivers\pdlnctdl.sys [2002-7-12 10752]
R4 pdlndldl;IBM Enterprise Extender (HPR/IP);c:\winnt\system32\drivers\pdlndldl.sys [2002-7-12 57856]
R4 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
S3 IKFileSec;File Security Driver;c:\winnt\system32\drivers\ikfilesec.sys [2008-8-30 40840]
S3 IKSysFlt;System Filter Driver;c:\winnt\system32\drivers\iksysflt.sys [2008-8-30 66952]
S3 IKSysSec;System Security Driver;c:\winnt\system32\drivers\iksyssec.sys [2008-8-30 81288]
S3 iscFlash;iscFlash;\??\c:\winnt\system32\drivers\iscflash.sys --> c:\winnt\system32\drivers\iscflash.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-8-30 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-8-30 1079176]
S3 XIRLINK;Veo PC Camera;c:\winnt\system32\drivers\ucdnt.sys [2002-5-5 899884]
S4 ro0Srv;ro0 Service;c:\winnt\system32\ro0\ro0.exe --> c:\winnt\system32\ro0\ro0.exe [?]

=============== Created Last 30 ================

2009-01-06 17:50 --d----- c:\winnt\network diagnostic
2009-01-06 17:49 459,264 -------- c:\winnt\system32\dllcache\msfeeds.dll
2009-01-06 17:49 267,776 -------- c:\winnt\system32\dllcache\iertutil.dll
2009-01-06 17:49 52,224 -------- c:\winnt\system32\dllcache\msfeedsbs.dll
2009-01-06 17:49 383,488 -------- c:\winnt\system32\dllcache\ieapfltr.dll
2009-01-06 17:49 63,488 -------- c:\winnt\system32\dllcache\icardie.dll
2009-01-06 17:49 13,824 -------- c:\winnt\system32\dllcache\ieudinit.exe
2009-01-06 17:49 2,455,488 -------- c:\winnt\system32\dllcache\ieapfltr.dat
2009-01-06 17:49 991,232 -------- c:\winnt\system32\dllcache\ieframe.dll.mui
2009-01-06 17:49 6,066,176 -------- c:\winnt\system32\dllcache\ieframe.dll
2009-01-06 17:49 33,792 a------- c:\winnt\system32\dllcache\custsat.dll
2009-01-06 17:38 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-05 20:28 --d----- c:\program files\SUPERAntiSpyware
2009-01-05 20:28 --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-01-05 19:31 --d----- c:\program files\EsetOnlineScanner
2009-01-05 18:06 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-05 18:05 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-01-05 18:05 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-05 18:05 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 18:05 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-04 14:00 --d----- c:\program files\Trend Micro
2009-01-04 12:19 --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2008-10-17 02:08 3,593,216 -------- c:\winnt\system32\dllcache\mshtml.dll
2008-10-16 08:11 70,656 -------- c:\winnt\system32\dllcache\ie4uinit.exe
2008-10-15 02:06 633,632 -------- c:\winnt\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\winnt\system32\dllcache\ieakui.dll
2006-10-13 19:31 67,736 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 5:57:58.46 ===============



>>>>> now the results of the ATTACH.txt file:



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/3/2002 8:18:01 PM
System Uptime: 1/10/2009 5:36:44 AM (0 hours ago)

Motherboard: Intel Corporation | | D845PT
Processor: Intel® Pentium® 4 CPU 2.00GHz | J1D1 | 1993/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 9.041 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP118: 10/5/2008 6:53:20 PM - System Checkpoint
RP119: 10/6/2008 7:25:09 PM - System Checkpoint
RP120: 10/17/2008 5:24:07 PM - System Checkpoint
RP121: 10/26/2008 11:02:02 AM - System Checkpoint
RP122: 11/23/2008 9:49:10 AM - System Checkpoint
RP123: 11/28/2008 10:06:06 AM - System Checkpoint
RP124: 11/30/2008 8:55:08 AM - System Checkpoint
RP125: 12/8/2008 9:04:37 PM - System Checkpoint
RP126: 12/19/2008 4:51:07 PM - System Checkpoint
RP127: 12/20/2008 5:10:39 PM - System Checkpoint
RP128: 12/21/2008 7:37:02 AM - Installed Adobe Reader 9.
RP129: 12/27/2008 7:42:56 AM - System Checkpoint
RP130: 12/30/2008 8:08:53 AM - System Checkpoint
RP131: 1/1/2009 1:04:59 PM - System Checkpoint
RP132: 1/4/2009 12:20:43 PM - Installed Ad-Aware
RP133: 1/5/2009 8:28:22 PM - Installed SUPERAntiSpyware Free Edition
RP134: 1/6/2009 5:40:07 PM - Restore Operation
RP135: 1/6/2009 5:49:55 PM - Software Distribution Service 3.0
RP136: 1/6/2009 5:54:14 PM - Installed Windows XP KB915865.
RP137: 1/6/2009 5:55:00 PM - Installed Windows NLSDownlevelMapping.
RP138: 1/6/2009 5:55:38 PM - Installed Windows IDNMitigationAPIs.
RP139: 1/6/2009 5:56:56 PM - Installed Windows Internet Explorer 7.
RP140: 1/6/2009 5:57:49 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Acrobat.com
Ad-Aware
Adobe Acrobat 4.0
Adobe AIR
Adobe Flash Player 9 ActiveX
Adobe Reader 9
Amazing Slow Downer (remove only)
Anvil Studio
AOL Instant Messenger
Band-in-a-Box 2005
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Cobian Backup 8
Creative PlayCenter
Creative Recorder
DVD Player
Easy CD Creator 5 Basic
ESET Online Scanner
Free WMA to MP3 Converter 1.16
GTW V.92 Voicemodem
HelpSpot
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
IBM DB2 Performance Monitor V8
IBM Personal Communications
Insightbb.com QIC Service Activator
Intel® PRO Ethernet Adapter and Software
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_05
Java™ 6 Update 2
LG USB Drivers
LimeWire
LimeWire PRO 4.6.0
Malwarebytes' Anti-Malware
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo 2002
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MovieEdit Task
MUSICMATCH Jukebox
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PG Music DirectX Plugins 1.3.3.1
PhoneTools
PhotoStitch
Power Tab Editor 1.7
PS/2 Millennium Keyboard
QuickTime
RandyTab
RAW Image Task 1.1
RealPlayer Basic
Registry Mechanic 8.0
RemoteCapture Task 1.0.3
RTC Client API v1.2
Security Task Manager 1.7
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Shockwave
SightReader for the Guitar
Smart Protector
Sound Blaster Live! Value
SpotLife
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Transcribe! 7.30
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB951072-v2)
Veo Advanced Connect
Veo Digital Studio
Viewpoint Media Player
VPN Client
WAV Splitter version 1.0
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Works Suite OS Pack
Works Synchronization
Yahoo! extras
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
ZoneAlarm

==== Event Viewer Messages From Past Week ========

1/5/2009 8:52:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC Buffer Manager service depends on the PDLC Message Driver service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC Hayes At signalling service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC SDLC Leased service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC V25bis signalling service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC X.25 service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC Adapter Factory service depends on the PDLC Message Driver service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC Connection Manager service depends on the PDLC Message Driver service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC DLC Classes service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC LAPB service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC QLLC service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC SDLC service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The PDLC Mapper service depends on the PDLC X.25 service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The AppnApi service depends on the PDLC Mapper service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The Cisco Systems, Inc. VPN Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2009 8:53:36 PM, error: Service Control Manager [7001] - The IBM Enterprise Extender (HPR/IP) service depends on the PDLC OEM Interface service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2009 8:53:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT pctfw2 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip vsdatant WS2IFSL
1/5/2009 8:57:05 PM, error: Service Control Manager [7000] - The SABProcEnum service failed to start due to the following error: The system cannot find the file specified.
1/5/2009 9:05:21 PM, error: Service Control Manager [7034] - The TrcBoot service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Edited by moozak, 10 January 2009 - 07:05 AM.


BC AdBot (Login to Remove)

 


#2 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 January 2009 - 07:01 AM

Additional Info:

as i was browsing the forums here... i came across a post which described a similar problem to mine. the person was directed to run Kaspersky Online Scanner and so i thought i would try it. it did find something... so i thought i would post the scan results here:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 08:50:40
Records in database: 1601660
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 64942
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:26:37


File name / Threat name / Threats count
C:\w1tmfo.exe Infected: Trojan.Win32.FraudPack.gen 1
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9HP0HM5\index[3].htm Infected: Packed.JS.Agent.d 1
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S2OXNOQM\index[2] Infected: Trojan.Win32.FraudPack.gen 1
C:\WINNT\system32\wdmaud.sys Infected: Rootkit.Win32.Agent.fwt 1

The selected area was scanned.

Edited by moozak, 11 January 2009 - 07:10 AM.


#3 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 January 2009 - 09:59 AM

the weird thing here is this: i just spent several hours running PCTools Spyware Doctor w/antivirus engine ...using it's most current updates... and no virus was found.

so, i'm still worried... and a bit puzzled to boot.

Edited by moozak, 11 January 2009 - 10:00 AM.


#4 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 12 January 2009 - 10:47 AM

it's been several days of working on this and no reply... have i posted incorrectly?

i really need some help.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:08 AM

Posted 25 January 2009 - 01:27 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 26 January 2009 - 05:56 AM

thanks, i will try to do this when i get home tonight.

#7 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 28 January 2009 - 07:11 PM

ok... here is the LOG.TXT results from RSIT
(p.s. i apologize for taking a few days to answer... we've been dealing with a snow storm here)





Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2009-01-28 19:07:03
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 10 GB (25%) free of 38 GB
Total RAM: 511 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:08 PM, on 1/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\drivers\ldlcserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\PC Tools - AntiVirus\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\System32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\System32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Global Startup: RedCats USA VPN CLient.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notes1.redcatsusa.com/iNotes6W.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINNT\System32\drivers\ldlcserv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ro0 Service (ro0Srv) - Unknown owner - C:\WINNT\system32\ro0\ro0.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4760 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [2007-07-12 132496]
"Zone Labs Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2006-08-23 968696]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"= []
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RedCats USA VPN CLient.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ro0Srv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ro0Srv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.ini - open - C:\WINNT\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINNT\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 3 months======

2009-01-28 19:07:03 ----D---- C:\rsit
2009-01-06 17:58:12 ----D---- C:\WINNT\ie7updates
2009-01-06 17:57:12 ----D---- C:\WINNT\WBEM
2009-01-06 17:57:10 ----D---- C:\WINNT\system32\en-US
2009-01-06 17:55:50 ----HDC---- C:\WINNT\ie7
2009-01-06 17:55:33 ----HDC---- C:\WINNT\$NtServicePackUninstallIDNMitigationAPIs$
2009-01-06 17:54:55 ----HDC---- C:\WINNT\$NtServicePackUninstallNLSDownlevelMapping$
2009-01-06 17:54:09 ----HDC---- C:\WINNT\$NtUninstallKB915865$
2009-01-06 17:54:04 ----N---- C:\WINNT\system32\xmllite.dll
2009-01-06 17:50:29 ----D---- C:\WINNT\network diagnostic
2009-01-06 17:50:28 ----HDC---- C:\WINNT\$NtUninstallKB914440$
2009-01-06 17:50:16 ----HDC---- C:\WINNT\$NtUninstallKB904942$
2009-01-06 17:38:43 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-05 20:28:25 ----D---- C:\Program Files\SUPERAntiSpyware
2009-01-05 20:28:25 ----D---- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2009-01-05 19:31:45 ----D---- C:\Program Files\EsetOnlineScanner
2009-01-05 18:06:01 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-01-05 18:05:53 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-05 18:05:53 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-04 14:00:53 ----D---- C:\Program Files\Trend Micro
2009-01-04 12:19:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-21 07:40:19 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-12-21 07:40:13 ----D---- C:\Documents and Settings\Owner\Application Data\Adobe
2008-12-21 07:38:08 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-21 07:37:27 ----D---- C:\Program Files\Adobe
2008-12-21 07:33:30 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2008-12-21 07:33:25 ----D---- C:\Program Files\NOS

======List of files/folders modified in the last 3 months======

2009-01-28 19:07:08 ----D---- C:\WINNT\Prefetch
2009-01-28 19:05:26 ----AD---- C:\WINNT\system32
2009-01-28 19:05:26 ----A---- C:\WINNT\system32\PerfStringBackup.INI
2009-01-28 19:02:45 ----D---- C:\WINNT\Internet Logs
2009-01-28 19:01:33 ----D---- C:\WINNT\Temp
2009-01-25 18:53:11 ----A---- C:\WINNT\SchedLgU.Txt
2009-01-14 19:01:06 ----D---- C:\WINNT\system32\CatRoot2
2009-01-12 03:46:14 ----D---- C:\Program Files\Personal Communications
2009-01-12 03:35:54 ----A---- C:\WINNT\win.ini
2009-01-11 09:57:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-11 09:57:04 ----D---- C:\Program Files\Spyware Doctor
2009-01-11 07:19:33 ----D---- C:\WINNT\system32\drivers
2009-01-10 05:46:01 ----SD---- C:\WINNT\Downloaded Program Files
2009-01-08 18:33:58 ----A---- C:\WINNT\ntbtlog.txt
2009-01-06 18:36:10 ----SD---- C:\WINNT\Tasks
2009-01-06 18:34:33 ----D---- C:\Cakewalk Projects
2009-01-06 18:33:09 ----AD---- C:\Program Files
2009-01-06 18:01:05 ----AD---- C:\WINNT
2009-01-06 18:00:27 ----RSHD---- C:\WINNT\system32\dllcache
2009-01-06 18:00:27 ----D---- C:\WINNT\Help
2009-01-06 18:00:27 ----D---- C:\Program Files\Internet Explorer
2009-01-06 17:59:01 ----HD---- C:\WINNT\inf
2009-01-06 17:58:37 ----HD---- C:\WINNT\$hf_mig$
2009-01-06 17:58:31 ----A---- C:\WINNT\imsins.BAK
2009-01-06 17:57:22 ----D---- C:\WINNT\system32\config
2009-01-06 17:57:04 ----D---- C:\WINNT\Media
2009-01-06 17:38:43 ----SHD---- C:\WINNT\Installer
2009-01-06 17:35:44 ----D---- C:\Program Files\Registry Mechanic
2009-01-05 20:53:38 ----D---- C:\WINNT\security
2009-01-05 19:45:02 ----D---- C:\Program Files\AIM
2009-01-04 13:21:07 ----D---- C:\data-d
2009-01-04 13:19:35 ----D---- C:\Program Files\America Online 7.0
2009-01-04 12:19:27 ----D---- C:\Program Files\Common Files
2008-12-21 07:38:37 ----D---- C:\Program Files\Common Files\Adobe
2008-12-21 07:38:24 ----D---- C:\WINNT\WinSxS
2008-12-19 15:05:05 ----D---- C:\Program Files\LimeWire
2008-12-18 15:37:22 ----D---- C:\family_pics
2008-12-09 15:24:38 ----A---- C:\WINNT\system32\MRT.exe
2008-11-20 09:36:45 ----D---- C:\Documents and Settings\Owner\Application Data\PC Tools

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINNT\system32\drivers\Cdr4_xp.sys [2002-02-28 57136]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2002-02-28 23721]
R1 cdudf_xp;cdudf_xp; C:\WINNT\system32\drivers\cdudf_xp.sys [2002-02-28 233984]
R1 intelppm;Intel Processor Driver; C:\WINNT\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 pctfw2;pctfw2; \??\C:\WINNT\system32\drivers\pctfw2.sys []
R1 pwd_2K;pwd_2K; C:\WINNT\system32\drivers\pwd_2K.sys [2002-02-28 110278]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0; C:\WINNT\System32\DRIVERS\Sk9920nt.sys [2000-09-12 6208]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINNT\system32\drivers\UdfReadr_xp.sys [2002-01-23 206208]
R1 vsdatant;vsdatant; C:\WINNT\System32\vsdatant.sys [2006-08-23 392824]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 AppnApi;AppnApi; C:\WINNT\System32\drivers\appnapi.sys [2000-04-18 116640]
R2 ASCTRM;ASCTRM; C:\WINNT\system32\drivers\ASCTRM.sys [2003-01-25 8552]
R2 CVPNDRVA;RedCats USA IPsec Driver; \??\C:\WINNT\System32\Drivers\CVPNDRVA.sys []
R2 NsTrcNT;NsTrcNT; C:\WINNT\System32\drivers\nstrcnt.sys [2000-04-18 10816]
R2 pcscoax;3270 Coax Driver; C:\WINNT\System32\drivers\pcscoax.sys [2000-04-18 30208]
R2 pdlnctdl;Twinax CUT Adapter; C:\WINNT\System32\drivers\pdlnctdl.sys [2000-04-18 10752]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP); C:\WINNT\System32\drivers\pdlndldl.sys [2000-04-18 57856]
R2 PfModNT;PfModNT; \??\C:\WINNT\System32\PfModNT.sys []
R3 Anydlc;Anydlc; C:\WINNT\System32\drivers\anydlc.sys [2000-04-18 36448]
R3 Appn;Appn; C:\WINNT\System32\drivers\appn.sys [2000-04-18 1263040]
R3 AppnBase;AppnBase; C:\WINNT\System32\drivers\AppnBase.sys [2000-04-18 182400]
R3 ctljystk;Creative SBLive! Gameport; C:\WINNT\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINNT\System32\DRIVERS\dne2000.sys [2003-07-24 139604]
R3 E100B;Intel® PRO Adapter Driver; C:\WINNT\System32\DRIVERS\e100b325.sys [2002-01-28 119808]
R3 emu10k;Creative SB Live! (WDM); C:\WINNT\system32\drivers\emu10k1m.sys [2001-08-17 283904]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINNT\system32\drivers\ctlfacem.sys [2001-08-17 6912]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINNT\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2004-09-14 13872]
R3 GTWModem;GTW V.92 Voicemodem; C:\WINNT\System32\DRIVERS\GWMDM.sys [2002-03-06 1167936]
R3 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 KLOGNT;KLOGNT; C:\WINNT\System32\drivers\klognt.sys [2000-04-18 22504]
R3 mmc_2K;mmc_2K; C:\WINNT\system32\drivers\mmc_2K.sys [2002-02-28 24918]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINNT\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MxlW2k;MxlW2k; C:\WINNT\system32\drivers\MxlW2k.sys [2003-08-24 28276]
R3 nv4;nv4; C:\WINNT\System32\DRIVERS\nv4_mini.sys [2001-08-30 829305]
R3 pdlnacom;PDLC Adapter -- COM; C:\WINNT\System32\drivers\pdlnacom.sys [2000-04-18 74080]
R3 pdlnafac;PDLC Adapter Factory; C:\WINNT\System32\drivers\pdlnafac.sys [2000-04-18 35120]
R3 pdlnampa;PDLC Adapter -- MultiProtocol Adapter; C:\WINNT\System32\drivers\pdlnampa.sys [2000-04-18 88800]
R3 pdlnatcm;Twinax Adapter Common; C:\WINNT\System32\drivers\pdlnatcm.sys [2000-04-18 19456]
R3 pdlnatdl;Twinax Adapter; C:\WINNT\System32\drivers\pdlnatdl.sys [2000-04-18 16896]
R3 pdlnatnm;Twinax Adapter Namakan; C:\WINNT\System32\drivers\pdlnatnm.sys [2000-04-18 64512]
R3 pdlnatsn;Twinax Adapter Snow; C:\WINNT\System32\drivers\pdlnatsn.sys [2000-04-18 68608]
R3 pdlnawac;PDLC Adapter -- WACType; C:\WINNT\System32\drivers\pdlnawac.sys [2000-04-18 69296]
R3 pdlncbas;PDLC CxM Classes; C:\WINNT\System32\drivers\pdlncbas.sys [2000-04-18 5712]
R3 pdlncfwk;PDLC Connection Manager; C:\WINNT\System32\drivers\pdlncfwk.sys [2000-04-18 159616]
R3 pdlndint;PDLC DLC Classes; C:\WINNT\System32\drivers\pdlndint.sys [2000-04-18 11264]
R3 pdlndlpb;PDLC LAPB; C:\WINNT\System32\drivers\pdlndlpb.sys [2000-04-18 70144]
R3 pdlndoem;PDLC OEM Interface; C:\WINNT\System32\drivers\pdlndoem.sys [2000-04-18 17920]
R3 pdlndqll;PDLC QLLC; C:\WINNT\System32\drivers\pdlndqll.sys [2000-04-18 52224]
R3 pdlndsdl;PDLC SDLC; C:\WINNT\System32\drivers\pdlndsdl.sys [2000-04-18 66048]
R3 pdlndtdl;Twinax DLC; C:\WINNT\System32\drivers\pdlndtdl.sys [2000-04-18 50688]
R3 pdlnebas;PDLC Environment; C:\WINNT\System32\drivers\pdlnebas.sys [2000-04-18 7520]
R3 pdlnecfg;PDLC Configuration; C:\WINNT\System32\drivers\pdlnecfg.sys [2000-04-18 49312]
R3 pdlnemap;PDLC Mapper; C:\WINNT\System32\drivers\pdlnemap.sys [2000-04-18 66432]
R3 pdlnemsg;PDLC Message Driver; C:\WINNT\System32\drivers\pdlnemsg.sys [2000-04-18 11648]
R3 pdlnepkt;PDLC Buffer Manager; C:\WINNT\System32\drivers\pdlnepkt.sys [2000-04-18 18704]
R3 pdlnshay;PDLC Hayes At signalling; C:\WINNT\System32\drivers\pdlnshay.sys [2000-04-18 59008]
R3 pdlnslea;PDLC SDLC Leased; C:\WINNT\System32\drivers\pdlnslea.sys [2000-04-18 21408]
R3 pdlnsv25;PDLC V25bis signalling; C:\WINNT\System32\drivers\pdlnsv25.sys [2000-04-18 53920]
R3 pdlnsx25;PDLC X.25; C:\WINNT\System32\drivers\pdlnsx25.sys [2000-04-18 58096]
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINNT\system32\drivers\sfmanm.sys [2001-08-17 36480]
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000; C:\WINNT\System32\DRIVERS\Sk99202k.sys [2000-09-11 7552]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINNT\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS []
S3 BCMModem;BCM V.90 56K Modem; C:\WINNT\System32\DRIVERS\BCMDM.sys [2001-08-17 871388]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINNT\System32\DRIVERS\CVirtA.sys [2005-02-08 5185]
S3 dvd_2K;dvd_2K; C:\WINNT\system32\drivers\dvd_2K.sys [2002-02-28 24502]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINNT\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 IKFileSec;File Security Driver; C:\WINNT\system32\drivers\ikfilesec.sys [2008-10-05 40840]
S3 IKSysFlt;System Filter Driver; C:\WINNT\system32\drivers\iksysflt.sys [2008-10-05 66952]
S3 IKSysSec;System Security Driver; C:\WINNT\system32\drivers\iksyssec.sys [2008-10-05 81288]
S3 iscFlash;iscFlash; \??\C:\WINNT\SYSTEM32\DRIVERS\iscflash.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\System32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PCDRDRV;Pcdr Helper Driver; \??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 PcdrNt;PcdrNt; C:\WINNT\System32\drivers\PcdrNt.sys [2000-03-22 44192]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\System32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINNT\System32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbaudio;USB Audio Driver (WDM); C:\WINNT\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINNT\System32\DRIVERS\lgusbbus.sys [2005-05-26 21344]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINNT\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINNT\System32\DRIVERS\lgusbdiag.sys [2005-05-26 38144]
S3 USBModem;LGE CDMA USB Modem; C:\WINNT\System32\DRIVERS\lgusbmodem.sys [2005-06-24 39036]
S3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 wanatw;WAN Miniport (ATW); C:\WINNT\System32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINNT\System32\Drivers\wpdusb.sys [2004-09-22 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\System32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 XIRLINK;Veo PC Camera; C:\WINNT\System32\DRIVERS\ucdnt.sys [2002-03-12 899884]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINNT\System32\CTsvcCDA.exe [1999-12-13 44032]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2005-04-07 1421336]
R2 ldlcserv;LocalSystem; C:\WINNT\System32\drivers\ldlcserv.exe [2000-04-18 24064]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINNT\System32\nvsvc32.exe [2001-08-30 57344]
R2 TrcBoot;TrcBoot; C:\WINNT\System32\drivers\trcboot.exe [2000-04-18 28160]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINNT\System32\wdfmgr.exe [2004-09-22 38912]
R2 vsmon;TrueVector Internet Monitor; C:\WINNT\system32\ZoneLabs\vsmon.exe [2006-08-23 75768]
S2 ro0Srv;ro0 Service; C:\WINNT\system32\ro0\ro0.exe []
S3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2004-12-18 327680]
S3 PictureTaker;PictureTaker; c:\fixit\pt\PCTKRNT.SYS []
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-11-20 1079176]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2004-05-13 193760]

-----------------EOF-----------------

Edited by moozak, 28 January 2009 - 07:13 PM.


#8 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 02 February 2009 - 06:23 AM

hi suebaby41...

it's been 5 days or so since i posted the results that you asked for... i'm just checking in to see if there has been any progress on this.

i suspect that i have some sort of browser hijack... but i just can't see to get rid of it.

thanks,

jr

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:08 AM

Posted 02 February 2009 - 06:26 AM

Just started on your log. Sorry for the delay in responding. We have really been busy.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:08 AM

Posted 02 February 2009 - 06:45 AM

This entry is identified as a business related program from IBM. It will be found in large corporations, and will most likely never be found on a home desktop since this is business related software.

C:\Program Files\Personal Communications\PCS_AGNT.EXE

Is this a business computer?
If it is, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?

I ask because I do not help in cleaning business or corporate computers for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 02 February 2009 - 10:34 AM

""" This entry is identified as a business related program from IBM. It will be found in large corporations, and will most likely never be found on a home desktop since this is business related software."""

i am a "mainframe" IT professional - this is my HOME computer... NOT BUSINESS computer. i simply happen to have a version of IBM Personal Comminications on my home computer ONLY so that i may connect to work when called to fix a database problem during non-working hours. i also have some database monitoring software on this home computer as well... but it is indeed my HOME computer and, other than those tools that allow me to do my job from home, this computer has nothing to do with my company.

sadly, even though i am a "mainframe" IT professional, i don't know as much about my home computer as i probably should... which is why i need help with what seems to be a browser hijacking.

Edited by moozak, 02 February 2009 - 10:47 AM.


#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:08 AM

Posted 02 February 2009 - 02:10 PM

I repeat why I do not work on business computers and this may well apply to your situation:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.
I have some bad news for you.

O23 - Service: ro0 Service (ro0Srv) - Unknown owner - C:\WINNT\system32\ro0\ro0.exe (file missing)

The entry above indicates your computer is infected with the Backdoor.HackDefender Rootkit. BackDoor trojan rootkit leaves a backdoor open on the system that can allow hacker total and complete access to your computer. Hackers can operate your computer just as if he were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs. Backdoor trojans send your identity information to a third party who may use that information for their own purposes such as identity theft, stolen bank funds, stealing credit card information etc.

Before deciding whether your computer needs cleaning or reformatting, you need to ask yourself some very serious questions.

Do you use your computer for any of the following?
  • Online banking/Business purposes
  • storing sensitive or very personal information
If you answered yes to any of those questions, you should disconnect your computer from the Internet and do a complete format and reinstall. If you use online banking, then you should contact your bank and arrange to have your password changed immediately. You should change any other passwords you use as these may have been compromised.

David Bach's Six Ways to Avoid Identity Theft

Here are six things you need to know to fight back against identity theft:

1. Keep your private information private.

Half of all identity theft in which the thief is identified is committed by a friend, coworker, neighbor, in-home employee, or relative of the victim. So make it a habit not to leave things lying around at home or in the office -- specifically your wallet, checkbook, or anything else containing private or financial information, including your mail.

Also, before you toss anything in the trash containing your private information, be sure to shred it. This isn't new advice, but I'd be remiss not to mention it.

2. Get a copy of your credit reports.

Often, victims of identity theft have no idea their credit is being used or destroyed until they apply for a loan and pull their credit score. So pull your credit report now, and make a plan to check it regularly.

By law, you're entitled to a free credit report from each of the three major credit bureaus -- Equifax, Experian, and TransUnion -- once every year. Go to AnnualCreditReport.com and stagger your requests so that you'll receive one report from each credit bureau every four months. Put the dates on your calendar so you don't forget. Keep in mind that this is for your free credit report only, not your credit score.

For your credit score, you'll need to go to myFICO. While you're there, you may want to check out their Identity Theft Security Deluxe product, which monitors your credit score and credit report automatically for $49.95 a year.

3. Find out if your state has a credit freeze law.

Here's a virtually foolproof way to prevent a thief from stealing your identity and using your personal data to get approved for credit. With this new law you're able to block ("freeze") all access to your credit report and credit score.

It's not necessarily the most convenient solution to protect yourself from fraud. Anytime you need to have your credit checked -- for instance, if you're buying a car or cell phone or even interviewing for a job -- you'll need to lift the block ("thaw" your record), which takes about three days. But if you have real concerns about identity theft or perhaps are already a victim, this is an option you may want to consider.

Some states will only grant a credit freeze if you're already a victim of identity theft. Find out if your state has a credit freeze law, including what it costs, by visiting FinancialPrivacyNow.org.

4. Check your bank statements weekly.

One of the great things about online banking is that you can log on and check your account at any time. Make a point of checking your bank statement weekly to be sure there aren't any red flags.

The same goes for your credit card statements. In fact, you may want to consider canceling your paper statements altogether and opting for online statements. After all, you're more likely to have personal information stolen from your mail than from the Internet.

That said, be sure to always use a secure computer. Using a public computer, like one at your local library, is risky due to tracking software that thieves can use to steal your passwords.

5. Be computer savvy.

Even though a relatively small percentage of identity theft occurs online, you should still take necessary precautions.

In addition to being careful about surfing the web on public computers, you should also be aware of the risks involved when using a wireless connection. Wi-Fi and Bluetooth are becoming increasingly popular, and as a result, there is bound to be an increase in wireless hacking.

Wireless connectivity is the perfect platform for thieves to get your personal data. If you have a wireless network at home or work, make sure you are incorporating password-protection and encryption. When accessing public hotspots, use a personal firewall.

Also, keep your computer safe by updating your antivirus and anti-spyware programs regularly. Use passwords so that others can't log on to your computer, laptop, or even your PDA, and be sure to change your passwords often.

Be smart about phishing scams, too. That's when you're sent an email that requests your personal or financial information, or that prompts you to click a link to provide your personal or financial information. If you're unsure of the legitimacy of such a request, call the company that it was supposedly sent from. If an email seems suspicious, it usually is.

6. Be aware of "deleted" data.

The Washington Post recently ran an article on mobile phones -- specifically "smartphones" like the Palm Treo and BlackBerry -- that was quite an eye-opener.

According to the story, resetting your phone to wipe out personal data doesn't exactly delete information. It turns out that your phone's operating system never actually deletes data, only the pointers to where the data is located. Anyone with the right software can recover information that was stored on your phone once you sell or discard it

You need to do is contact the device manufacturer for complete instructions on what to do to wipe your data clean. You can also visit WirelessRecycling.com for instructions. And think twice about what information you store on your device in case it's ever lost or stolen.

If Your Identity Is Stolen

Take the above steps and -- should you ever find yourself in the unfortunate position of having had your identity stolen -- you'll commend yourself for being proactive enough to identify a problem before too much damage was done.

Don't waste a minute once you've discovered suspicious activity -- go directly to the website of the Federal Trade Commission to file a complaint and access their comprehensive guide on the steps you'll need to follow to resolve the situation.

I recommend backing up your important files and reinstalling everything from scratch. There are so many changes that could have been done if that backdoor was used. Even if we cleaned the infections, it would not help to recover the information that has been compromised and there is no guarantee that your computer would be safe to use. It is dangerous and incorrect to assume that simply because one backdoor trojan has been removed from your computer that your computer is now secure.

If you only use your computer for music/games etc, your better option would be to clean it of infections rather than do a reformat. The decision must be made by you.

Here are some informative links to use to help you make a decision:

Danger: Remote Access Trojans

Consumers – Identity Theft

When should I re-format? How should I reinstall?

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Rootkits: The Obscure Hacker Attack

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

Microsoft Says Recovery from Malware Becoming Impossible

How to report ID theft, fraud, drive-by installs, hijacking and malware? (#10451)

However, if you do not have the resources to reformat your computer and reinstall your operating system and programs, I will be happy to attempt to clean it.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.

Edited by suebaby41, 02 February 2009 - 02:44 PM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 02 February 2009 - 02:37 PM

ok but i'm a bit confused... i haven't done anything since posting the last log above? i have not been using the computer for anything due to the problem. should i still post a new HTJ log?

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:08 AM

Posted 02 February 2009 - 04:09 PM

When I was looking at your log, I noted the suspicious entry. I do not need a new HijackThis log until I get your decision on what you want to do - reformat or attempt cleaning. I highly recommend reformatting due to the serious nature of the infection.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 moozak

moozak
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 02 February 2009 - 05:59 PM

well, i do understand that, weeks ago when i started this process, i could have reinstalled from scratch... so i was hoping to find a way around doing that.

i have not been using this computer for any financialy related transactions since i realized there was an infection... and all appropriate passwords have been changed weeks ago.

if possible, i would like to try to clean things up without going thru the hassle of starting over... do you think there is any possible way around it without doing a reinstall? if not, i understand... just trying to get a grasp on the depth of this situation.

thanks

Edited by moozak, 02 February 2009 - 06:01 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users