Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Serious Browser Hijacker / Blocking of adware and spyware sites and programs


  • Please log in to reply
18 replies to this topic

#1 noitslettia

noitslettia

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 24 March 2009 - 01:10 AM

Hello- this just started today. I'm usually good at getting rid of spyware on my own but this is out of my league.
Description: Search engines (Yahoo, Google, etc) go through a third-party site before they connect me with the link I click on and sometimes just re-route me to a shady, generic search engine. Also, I cannot connect to the "www.safer-networking.org" website EVEN if I type it into the URL bar, it just re-routes me to Google search and then will not display the webpage. The Hijacker seems to be working even when I try to connect to these websites when I am in Safe Mode (running Windows XP, to let you know). Whatever I have seems to anticipate popular adware sites and will not allow me to connect.

Also, even stranger, I can't access my C://. When I double-click on it, I get this message:

Title: RECYCLER\S-2-5-65-100008470-100001404-1000021667-7435.com
Text: Windows cannot find 'RECYCLER\S-2-5-65-100008470-100001404-1000021667-7435.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Oh, and System Restore doesn't work either. I click on the final "Next" button and...nothing.
Any help will be GREATLY appreciated.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:28 AM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - (no file)
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1193152601\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-3551311873-3984928036-2764790200-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/Config/p.../pr/prsetup.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54477CD1-AC15-47CD-A92D-3464D36BA8C6}: NameServer = 85.255.112.91,85.255.112.85
O17 - HKLM\System\CCS\Services\Tcpip\..\{7160AC79-B32C-40CB-9EAF-08B01F96EBA2}: NameServer = 85.255.112.91,85.255.112.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.91,85.255.112.85
O17 - HKLM\System\CS1\Services\Tcpip\..\{54477CD1-AC15-47CD-A92D-3464D36BA8C6}: NameServer = 85.255.112.91,85.255.112.85
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.209,85.255.112.191
O17 - HKLM\System\CS2\Services\Tcpip\..\{54477CD1-AC15-47CD-A92D-3464D36BA8C6}: NameServer = 85.255.112.209,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.91,85.255.112.85
O18 - Filter hijack: text/html - {ee583585-1201-40e2-b558-6792c255cc63} - C:\WINDOWS\system32\mst123.dll
O20 - AppInit_DLLs: c:\program files\permissionresearch\prai.dll
O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Update Service (gupdate1c992ba98ca05de) (gupdate1c992ba98ca05de) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 12421 bytes

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 01 April 2009 - 04:06 PM

hi,

sorry for delay, no shortage of posters. Your DNS look up has been changed to re-route your browsing.
this should take care of it;

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click **Remove Selected.**
**A restart of your computer most likely will be required to remove some items.**
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

When done with MBAM, rescan and post a new hjt log also.

How Can I Reduce My Risk to Malware?


#3 noitslettia

noitslettia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 01 April 2009 - 04:32 PM

Yes, there's a problem with that. Since my browser re-routes everything, it will not even allow me to connect to the malwarebytes.org website. I managed to download it from the website here, but now the program will not launch. This has happened with every anti-spyware I can find.

Suggestions?

#4 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 01 April 2009 - 07:33 PM

You can try renaming the malwarebytes .exe to something else. Right click on the icon>rename, change it to scanme or something and see if it will start up then.

How Can I Reduce My Risk to Malware?


#5 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 01 April 2009 - 08:23 PM

If renaming it dosnt work you can try uninstalling the current version via add/remove programs panel then downloading a new copy, except this time before saving it change it from mbam-setup.exe to something like scanner.exe then save it to your computer and install.

How Can I Reduce My Risk to Malware?


#6 noitslettia

noitslettia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 01 April 2009 - 09:06 PM

I tried renaming it, I tried uninstalling the current version and downloading a new copy and I saved it as something completely different, scanner.exe the first time, then as bleep.exe, then I tried installing it on my flash drive to see if that would help, but it still will not launch. I ALSO cannot open my C:/ by clicking on it, I have to manually type it in.

#7 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 02 April 2009 - 04:49 AM

ok we will get another download to use for now .there is a guide to read first which will explain everything. Read through the guide, download combofix to your desktop and save it has scanme1 or something, like you did with MBAM. Disable any AV or active antimalware as explained in the guide, double click the scanme1 icon on your desktop. follow the prompts. If combofix runs, once its all done then check MBAM for updates and scan with it also.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#8 noitslettia

noitslettia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 02 April 2009 - 12:22 PM

I ran Combofix and it worked and then I was able to successfully run (!) MalwareBytes. I'll attach both the ComboFix and MWB log so you can make sure everything is okay. My browser is running fine again!

Combofix:

ComboFix 09-04-01.01 - Lettia 2009-04-02 11:54:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.351 [GMT -4:00]
Running from: c:\documents and settings\Lettia\Desktop\scanme1.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\INSTALL.LOG
c:\recycler\S-8-7-87-100028549-100028994-100004771-5289.com
c:\windows\system32\bbeeg.bak1
c:\windows\system32\bbeeg.bak2
c:\windows\system32\bbeeg.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\gaopdxdyuhhbvcmjkoowkkltfaqjborxkduxwq.sys
c:\windows\system32\drivers\gaopdxmovmtbqlrhyrvwipfvaswsjktervdtbo.sys
c:\windows\system32\drivers\gaopdxoyrgoenqwbrfqmlalktltakwvyuwueqg.sys
c:\windows\system32\drivers\gaopdxrqlxypynpevelkftoygoboxvkbaiojte.sys
c:\windows\system32\drivers\gaopdxsmlknqwgixjvrwofusutkryeaytxbhnp.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxqlkawkibxqhhlsmtixmldgultqalvgfi.dll
c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-02 11:34 . 2009-04-02 11:34 <DIR> d-------- c:\documents and settings\Lettia\Application Data\aAvgApi
2009-04-01 17:30 . 2009-04-01 17:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 10:18 . 2009-04-01 12:18 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-27 10:01 . 2009-03-27 10:01 62,729,728 --a------ c:\program files\avg_free_stf_en_85_283a1450.exe
2009-03-24 12:15 . 2009-03-24 12:15 0 --a------ c:\windows\system32\commonpub.log.lock
2009-03-24 12:15 . 2009-03-24 12:15 0 --a------ c:\windows\system32\commonpriv.log.lock
2009-03-24 10:59 . 2009-03-27 10:05 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-24 10:59 . 2009-03-27 10:56 <DIR> d-------- c:\documents and settings\Lettia\Application Data\AVGTOOLBAR
2009-03-24 10:59 . 2009-03-27 10:05 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-24 10:58 . 2009-03-27 10:05 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-24 10:58 . 2009-03-27 10:05 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-24 10:56 . 2009-03-24 10:56 <DIR> d-------- c:\program files\AVG
2009-03-24 10:56 . 2009-04-02 11:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-24 01:09 . 2009-03-24 01:09 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 00:53 . 2009-03-24 10:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 00:47 . 2009-03-24 00:47 37,452,296 --a------ C:\Ad-AwareAE.exe
2009-03-24 00:28 . 2009-03-24 00:28 16,409,960 --a------ C:\spybotsd162.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 21:44 --------- d-----w c:\program files\Lavasoft
2009-04-01 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-24 04:57 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-24 04:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 04:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 18:43 --------- d-----w c:\documents and settings\Lettia\Application Data\AdobeUM
2009-03-08 18:42 --------- d-----w c:\program files\Common Files\Adobe
2009-03-05 15:26 --------- d-----w c:\documents and settings\Lettia\Application Data\Move Networks
2009-02-19 17:51 --------- d-----w c:\program files\Google
2009-02-11 04:21 --------- d-----w c:\program files\MSN Messenger
2009-01-20 05:47 15,083,520 ----a-w c:\program files\spybotsd160.exe
2009-01-08 05:46 6,088 ----a-w c:\program files\Palace.mac
2009-01-08 05:46 258,692 ----a-w c:\program files\Palace.prp
2009-01-08 05:46 2,270 ----a-w c:\program files\Palace.ini
2009-01-08 05:19 230 ----a-w c:\program files\bookmark.dat
2008-05-18 04:04 1,295,002 ----a-w c:\program files\IndianaJonesAndHisDesktopAdventures.zip
2008-05-18 03:59 3,952,730 ----a-w c:\program files\YodaStories.zip
2008-02-01 06:47 0 ----a-w c:\documents and settings\Lettia\advdat11.dat
2006-12-13 03:04 12,687,809 ----a-w c:\program files\standardsetup.exe
2006-03-15 21:01 9,409,224 ----a-w c:\program files\Install_MSN_Messenger.exe
2005-08-25 12:03 20,798,256 -c--a-w c:\program files\AdbeRdr70_enu_full.exe
2005-08-17 22:46 8,715,352 ----a-w c:\program files\Install_AIM.exe
2000-02-07 19:51 16,382 ----a-w c:\program files\Readme.txt
2000-02-07 14:47 1,040,384 ----a-w c:\program files\Palace32.exe
2000-02-07 14:38 32,768 ----a-w c:\program files\ppahook.dll
1999-11-22 21:25 4,317 ----a-w c:\program files\License.txt
1999-11-15 20:57 1,380 ----a-w c:\program files\Cyborg.ipt
1999-10-20 15:24 2,228 ----a-w c:\program files\palace32.tlb
1999-09-07 19:27 108,032 ----a-w c:\program files\Unwise32.exe
2009-03-24 14:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-24 14:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-24 14:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-24 14:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-24 14:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-18 05:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121820081219\index.dat
2007-02-19 03:41 4,413,728 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-02-19 03:41 77,600 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-02-17 59040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-08-19 100056]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-08-05 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-27 10:05 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera\0SsiEfr.e\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1193152601\\ee\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-24 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-24 107912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-08-05 80384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate1c992ba98ca05de;Google Update Service (gupdate1c992ba98ca05de);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-19 133104]
S2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys --> c:\windows\system32\SVKP.sys [?]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\windows\system32\drivers\ma101rndxp.sys [2007-08-28 76160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b72f18e2-c365-11da-8e77-0014a50596f0}]
\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure20.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-04-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 21:30]

2009-04-02 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-19 13:50]
.
- - - - ORPHANS REMOVED - - - -

BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\Common\_helper.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-HostManager - c:\program files\Common Files\AOL\1193152601\ee\AOLSoftware.exe
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
Notify-geebb - c:\windows\system32\geebb.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: livejournal.com\www
Trusted Zone: neopets.com\www
Trusted Zone: proboards12.com\shinyou
FF - ProfilePath - c:\documents and settings\Lettia\Application Data\Mozilla\Firefox\Profiles\in8xjz5z.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears_ff2.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 12:06:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3551311873-3984928036-2764790200-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\windows\system32\WLTRAY.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-04-02 12:11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 16:11:18

Pre-Run: 48,284,188,672 bytes free
Post-Run: 49,389,592,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
247 --- E O F --- 2009-03-15 07:02:32




MalwareBytes:

Malwarebytes' Anti-Malware 1.35
Database version: 1933
Windows 5.1.2600 Service Pack 3

4/2/2009 1:12:50 PM
mbam-log-2009-04-02 (13-12-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153757
Time elapsed: 56 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.88,85.255.112.236 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{54477cd1-ac15-47cd-a92d-3464d36ba8c6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.88,85.255.112.236 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7160ac79-b32c-40cb-9eaf-08b01f96eba2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.88,85.255.112.236 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7160ac79-b32c-40cb-9eaf-08b01f96eba2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.88,85.255.112.236 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Fonts\celtic_gaelige.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\galactic_basic.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\KissTSV2.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\star_jedi.zip (Worm.Archive) -> Quarantined and deleted successfully.


Is there anything else?

#9 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 02 April 2009 - 04:48 PM

ok looking good. Post one more hjt log please.

How Can I Reduce My Risk to Malware?


#10 noitslettia

noitslettia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 05 April 2009 - 09:00 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:40 AM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Update Service (gupdate1c992ba98ca05de) (gupdate1c992ba98ca05de) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 11060 bytes

#11 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 05 April 2009 - 08:24 PM

hi noitslettia,

Looks like you have two AV installed that appear to be outdated. Only one AV is needed on your machine.
You need to remove one via add/remove programs panel and get the other updated.
I will be off line for the next 48hrs but will post when I get back.

How Can I Reduce My Risk to Malware?


#12 noitslettia

noitslettia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 05 April 2009 - 11:31 PM

I know I have a few- I can't "Add/Remove" Norton AV...I click on the "Remove" button and nothing happens and it has been that way for awhile. The AVG isn't IN my Add/Remove programs list for me to remove it...I do have one program running in my Task Manager, avgrsx.exe but I cannot halt the process, and since I can't stop it from running manually I can't remove the .exe file.

Any suggestions?

EDITED: I was able to remove avgrsx.exe but a few AVG files remain in my computer.

Edited by noitslettia, 05 April 2009 - 11:37 PM.


#13 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 09 April 2009 - 02:30 PM

hi,

ok thanks for the info. You can see this link about using a norton uninstaller tool:

http://service1.symantec.com/SUPPORT/tsgen...005033108162039

EDITED: I was able to remove avgrsx.exe but a few AVG files remain in my computer.


Not sure of the locations you are talking about but most uninstallers can leave behind stray files.
you can look here for AVG:

start>run and type in services.msc
Windows service panel will open.
under the name column look for:
AVG...
Right click>properties
under the general tab;

make sure that the service status is: Stopped, if not click the Stop button
and the Startup type is: disabled, if not change it to disable
click apply, then ok

You should get a AV as soon as possible. I can post links to free (for home use) AV. you need one?

How Can I Reduce My Risk to Malware?


#14 noitslettia

noitslettia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 12 April 2009 - 10:37 PM

Could you link me, please?

Edit: I disabled AVG8 and got rid of all the remains of Norton 2005. Thanks!

Edited by noitslettia, 12 April 2009 - 10:50 PM.


#15 shelf life

shelf life

  • Malware Response Team
  • 2,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:56 PM

Posted 13 April 2009 - 07:02 AM

Hi,

ok good.

Links for home use AV:

http://www.free-av.com/en/download/index.html
http://www.avast.com/eng/download-avast-home.html
http://free.avg.com/download?prd=afe

You can remove combofix like this:
start>run and type in combofix /u
click ok or enter
Note: there is a space after the x and before the /

Keep MBAM. Keep it updated.

Post one more HJt log.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users