Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engines Provide Bogus Links to sites


  • This topic is locked This topic is locked
6 replies to this topic

#1 wkniffin

wkniffin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 27 January 2009 - 10:51 AM

Yesterday I noticed that all of my searches in google had become faulty and were linking me to unrelated sites (nexplore/shopasearch/moxiesearch/couponmountain. The preview to the sites is original, but the link is unrelated. I looked at some other posts that were similar but nothing has helped so far. I also am not seeing the attachment option in this page. I don't know if it something wrong with my computer or what. Thanks for any help you can provide.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Travis at 9:44:40.64 on Tue 01/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1123 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Travis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [sealmon] c:\program files\sealedmedia\sealmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\travis\startm~1\programs\startup\autoba~1.lnk - c:\program files\memeo\autobackup\MemeoLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: wittenberg.edu
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161626235750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CD6A4567-126D-4526-BD77-6CE7789747D7} - hxxp://wittconnect.wittenberg.edu/WittConnectCheck.CAB
DPF: {D1479B2F-B273-45CA-B15F-7919985DA078} - hxxps://wittconnect.wittenberg.edu/WittConnectCheck.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\travis\applic~1\mozilla\firefox\profiles\xlpm2zog.default\
FF - prefs.js: browser.startup.homepage - www.wittenberg.edu

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-8-16 58464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-27 38496]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-8-16 108480]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-8-16 102463]
R4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-9-6 126976]
R4 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R4 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-9-6 122368]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-10-25 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-10-25 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-10-25 81288]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-3-31 245760]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-25 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-25 1079176]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-01-27 09:15 <DIR> --d----- c:\docume~1\travis\applic~1\Malwarebytes
2009-01-27 09:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-27 09:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-27 09:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 09:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-26 21:56 <DIR> --d----- c:\windows\ERUNT
2009-01-26 21:49 <DIR> --d----- C:\SDFix

==================== Find3M ====================

2009-01-26 21:38 4,532 a------- c:\windows\system32\tmp.reg
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2007-11-20 17:06 23,446 a------- c:\program files\zguicfgw.dat
2007-11-20 17:06 3,188 a------- c:\program files\zsnesw.cfg
2005-01-19 17:35 513,024 a------- c:\program files\zsnesw.exe
2008-09-13 15:22 952 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:47:29.76 ===============

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 04 February 2009 - 04:34 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 wkniffin

wkniffin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 04 February 2009 - 09:10 PM

Here are the combofix and dds logs. I have still been using my computer, but haven't downloaded and changed any files.

ComboFix 09-02-04.01 - Travis 2009-02-04 21:00:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1255 [GMT -5:00]
Running from: c:\documents and settings\Travis\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg
c:\windows\system32\wdmaud.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-01-27 09:15 . 2009-01-27 09:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 09:15 . 2009-01-27 09:15 <DIR> d-------- c:\documents and settings\Travis\Application Data\Malwarebytes
2009-01-27 09:15 . 2009-01-27 09:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 09:15 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-27 09:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 21:56 . 2009-01-26 21:56 <DIR> d-------- c:\windows\ERUNT
2009-01-26 21:49 . 2009-01-27 10:39 <DIR> d-------- C:\SDFix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 19:15 --------- d-----w c:\documents and settings\Travis\Application Data\OpenOffice.org2
2009-01-20 19:50 --------- d-----w c:\program files\Sportsbook Poker
2009-01-20 19:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-17 16:42 --------- d-----w c:\program files\FinePixViewer
2009-01-12 00:35 --------- d-----w c:\program files\NLVM
2009-01-12 00:33 --------- d--h--w c:\program files\Zero G Registry
2009-01-12 00:27 --------- d-----w c:\program files\Java
2008-12-18 21:19 --------- d-----w c:\program files\iTunes
2008-12-18 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 21:18 --------- d-----w c:\program files\iPod
2008-12-18 21:18 --------- d-----w c:\program files\Common Files\Apple
2008-12-18 21:16 --------- d-----w c:\program files\Bonjour
2008-12-18 21:15 --------- d-----w c:\program files\QuickTime
2008-12-18 21:09 --------- d-----w c:\program files\Apple Software Update
2008-12-18 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-12 17:33 3,060,224 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2007-11-20 22:06 3,188 ----a-w c:\program files\zsnesw.cfg
2007-11-20 22:06 23,446 ----a-w c:\program files\zguicfgw.dat
2005-01-19 22:35 513,024 ----a-w c:\program files\zsnesw.exe
2008-12-20 21:57 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 21:57 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 21:57 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 21:57 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 21:57 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-13 20:22 952 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 284184]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-11-15 746520]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-15 244512]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2007-06-04 296080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

c:\documents and settings\Travis\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - c:\program files\Memeo\AutoBackup\MemeoLauncher.exe [2007-02-08 211992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-06-05 1577035]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-03-31 24576]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-02-15 303104]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"aux2"= wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48558:UDP"= 48558:UDP:file sharring hmmm

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-08-16 58464]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-10-25 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26adf1fa-781b-11dc-9806-00114373ca83}]
\Shell\AutoRun\command - "E:\Install FreeAgent Tools.exe" /run
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AAWTray - c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: wittenberg.edu
DPF: {CD6A4567-126D-4526-BD77-6CE7789747D7} - hxxp://wittconnect.wittenberg.edu/WittConnectCheck.CAB
DPF: {D1479B2F-B273-45CA-B15F-7919985DA078} - hxxps://wittconnect.wittenberg.edu/WittConnectCheck.CAB
FF - ProfilePath - c:\documents and settings\Travis\Application Data\Mozilla\Firefox\Profiles\xlpm2zog.default\
FF - prefs.js: browser.startup.homepage - www.wittenberg.edu
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 21:02:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Travis\LOCALS~1\Temp\Perflib_Perfdata_248c.dat

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(972)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-02-04 21:05:01
ComboFix-quarantined-files.txt 2009-02-05 02:04:04

Pre-Run: 3,809,087,488 bytes free
Post-Run: 3,806,248,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

162 --- E O F --- 2009-01-15 16:34:04



DDS (Ver_09-01-19.01) - NTFSx86
Run by Travis at 21:07:09.78 on Wed 02/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1202 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Travis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [sealmon] c:\program files\sealedmedia\sealmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
StartupFolder: c:\docume~1\travis\startm~1\programs\startup\autoba~1.lnk - c:\program files\memeo\autobackup\MemeoLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: wittenberg.edu
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161626235750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CD6A4567-126D-4526-BD77-6CE7789747D7} - hxxp://wittconnect.wittenberg.edu/WittConnectCheck.CAB
DPF: {D1479B2F-B273-45CA-B15F-7919985DA078} - hxxps://wittconnect.wittenberg.edu/WittConnectCheck.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\travis\applic~1\mozilla\firefox\profiles\xlpm2zog.default\
FF - prefs.js: browser.startup.homepage - www.wittenberg.edu

============= SERVICES / DRIVERS ===============

P4 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-8-16 58464]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-8-16 108480]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-8-16 102463]
R4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-9-6 126976]
R4 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-9-6 122368]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-10-25 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-10-25 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-10-25 81288]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-3-31 245760]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-25 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-25 1079176]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-02-04 20:59 <DIR> a-dshr-- C:\cmdcons
2009-02-04 20:57 161,792 a------- c:\windows\SWREG.exe
2009-02-04 20:57 98,816 a------- c:\windows\sed.exe
2009-01-27 09:15 <DIR> --d----- c:\docume~1\travis\applic~1\Malwarebytes
2009-01-27 09:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-27 09:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-27 09:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 09:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-26 21:56 <DIR> --d----- c:\windows\ERUNT
2009-01-26 21:49 <DIR> --d----- C:\SDFix

==================== Find3M ====================

2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2007-11-20 17:06 23,446 a------- c:\program files\zguicfgw.dat
2007-11-20 17:06 3,188 a------- c:\program files\zsnesw.cfg
2005-01-19 17:35 513,024 a------- c:\program files\zsnesw.exe
2008-09-13 15:22 952 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:07:31.90 ===============


Thanks again for all of your time.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 05 February 2009 - 08:10 AM

Hello.

Those logs look clean. Are the symptoms still there?

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

F-Secure Online Scan
Please run F-Secure Online Scanner to see what we've missed.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also include a fresh DDS.txt.

With Regards,
The Panda

#5 wkniffin

wkniffin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 05 February 2009 - 05:05 PM

My symptoms have disappeared. Thanks for all of your help. If they do come back, would I need to create a new post?

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 05 February 2009 - 05:33 PM

Hello.

Please follow the directions in my previous post. We need a final check.

In the future, start a new topic.

With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 13 February 2009 - 06:03 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users