Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop Has/Had Malware/Spyware Issuues


  • This topic is locked This topic is locked
16 replies to this topic

#1 slyblackdragon

slyblackdragon

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 25 March 2009 - 03:15 PM

Hey everyone. I am working on my girlfriends laptop. I had a problem with every time I clicked on a google search it would direct me to a website that I didn't click on. I suspected spyware issues so I downloaded and ran the newest version of Spyware Terminator. It found 148 critical objects (listed below), and seems to be running smoothly now. I have also downloaded the newest version of Avast which has removed 3 trojan viruses.

As suggested by garmanma I followed the Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,
~Sly


DDS (Ver_09-03-16.01) - NTFSx86
Run by Tennant at 15:03:53.39 on Wed 03/25/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.1789.912 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Users\Tennant\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tennant\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com
uSEARCH PAGE = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
uRun: [Acer Tour Reminder]
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Acer Tour]
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [eRecoveryService]
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Skytel] Skytel.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [InstaLAN] "c:\program files\charter\instalan\InstaLAN.exe" startup
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1.0.1.0.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: NameServer = 85.255.112.189,85.255.112.178
TCP: {32B26393-3758-4A0B-9E43-B9476083387E} = 85.255.112.189,85.255.112.178
TCP: {ECC86BDE-1542-4329-873B-A0C143DC89F8} = 85.255.112.189,85.255.112.178
Handler: AutorunsDisabled\tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tennant\appdata\roaming\mozilla\firefox\profiles\ehye6h1b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-2 35712]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-25 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-3-24 142592]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-12-29 13560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-25 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-25 51792]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-12 24652]

=============== Created Last 30 ================

2009-03-25 14:49 <DIR> --d----- c:\program files\CCleaner
2009-03-25 11:34 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-03-25 10:31 <DIR> --d----- c:\programdata\NOS
2009-03-25 09:07 <DIR> --d----- c:\program files\Crawler
2009-03-24 20:59 <DIR> --d----- c:\program files\AVG
2009-03-24 20:58 1,211 a------- c:\windows\system32\BIN_STRSBW.SPT
2009-03-24 20:30 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-03-24 20:30 <DIR> --d----- c:\users\tennant\appdata\roaming\Spyware Terminator
2009-03-24 20:30 <DIR> --d----- c:\programdata\Spyware Terminator
2009-03-24 20:30 <DIR> --d----- c:\program files\Spyware Terminator
2009-03-24 20:30 <DIR> --d----- c:\progra~2\Spyware Terminator
2009-03-10 16:31 268,288 a------- c:\windows\system32\schannel.dll
2009-03-10 16:31 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-10 16:31 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-10 16:31 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-10 16:31 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-10 16:31 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-07 01:17 <DIR> --d----- c:\programdata\ZangoSA
2009-03-07 01:17 <DIR> --d----- c:\progra~2\ZangoSA
2009-03-07 01:17 <DIR> --d----- c:\users\tennant\appdata\roaming\WeatherDPA
2009-03-07 01:17 <DIR> --d----- c:\users\tennant\appdata\roaming\Zango
2009-03-06 01:32 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-03-06 01:31 <DIR> --d----- c:\program files\LimeWire
2009-03-06 01:22 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-03-06 01:22 <DIR> --d----- c:\programdata\AIM Toolbar
2009-03-06 01:22 <DIR> --d----- c:\program files\AIM Toolbar
2009-03-06 01:22 <DIR> --d----- c:\progra~2\AIM Toolbar
2009-03-06 01:22 <DIR> --d----- c:\programdata\acccore
2009-03-06 01:22 <DIR> --d----- c:\progra~2\acccore
2009-03-04 03:28 <DIR> --d----- c:\users\tennant\appdata\roaming\Walgreens

==================== Find3M ====================

2009-03-07 15:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-07 23:04 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-07 23:04 51,200 a------- c:\windows\inf\infpub.dat
2009-02-07 23:04 86,016 a------- c:\windows\inf\infstor.dat
2009-01-15 01:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-05 17:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-06-13 03:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-09 21:32 174 a--sh--- c:\program files\desktop.ini
2007-09-10 18:34 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2007-09-10 18:34 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2007-09-10 18:34 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2007-09-10 18:34 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-12 10:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-12 10:33 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-12 10:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 15:05:20.31 ===============

Attached Files


Edited by slyblackdragon, 25 March 2009 - 03:21 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:47 AM

Posted 04 April 2009 - 04:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 slyblackdragon

slyblackdragon
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 04 April 2009 - 05:23 PM

Great timing, I am about to head to my girlfriends house now.

Do I need to disable and disconnect from the internet before I run the scan, or only if I encounter an error?

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:47 AM

Posted 04 April 2009 - 05:34 PM

I would disconnect to keep things simpler.

I you disable an AV, ensure you turn it back on before connecting again.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 slyblackdragon

slyblackdragon
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 13 April 2009 - 07:10 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Tennant at 19:00:58.32 on Mon 04/13/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.846 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Users\Tennant\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Graboid\GraboidVideo\1.5.0.0\GraboidClient.exe
C:\Program Files\Graboid\GraboidVideo\1.5.0.0\GraboidClient.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tennant\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com
uSEARCH PAGE = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
uRun: [Acer Tour Reminder]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Acer Tour]
mRun: [eRecoveryService]
mRun: [Skytel] Skytel.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [InstaLAN] "c:\program files\charter\instalan\InstaLAN.exe" startup
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1.0.1.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.189,85.255.112.178
TCP: {32B26393-3758-4A0B-9E43-B9476083387E} = 85.255.112.189,85.255.112.178
TCP: {ECC86BDE-1542-4329-873B-A0C143DC89F8} = 85.255.112.189,85.255.112.178
Handler: AutorunsDisabled\tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tennant\appdata\roaming\mozilla\firefox\profiles\ehye6h1b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\tennant\appdata\roaming\mozilla\firefox\profiles\ehye6h1b.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-2 35712]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-25 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-3-24 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-25 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-25 51792]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]

=============== Created Last 30 ================

2009-04-10 15:12 <DIR> --d----- c:\programdata\Electronic Arts
2009-04-10 15:12 <DIR> --d----- c:\progra~2\Electronic Arts
2009-04-07 22:30 <DIR> --d----- c:\users\tennant\appdata\roaming\MozillaControl
2009-04-07 22:20 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-04-07 22:19 <DIR> --d----- c:\program files\VideoLAN
2009-04-07 22:19 <DIR> --d----- c:\program files\Graboid
2009-03-30 21:45 <DIR> --d----- c:\program files\HP
2009-03-27 19:10 <DIR> --d----- c:\users\tennant\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-25 14:49 <DIR> --d----- c:\program files\CCleaner
2009-03-25 11:34 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-03-25 10:31 <DIR> --d----- c:\programdata\NOS
2009-03-25 09:07 <DIR> --d----- c:\program files\Crawler
2009-03-24 20:59 <DIR> --d----- c:\program files\AVG
2009-03-24 20:58 1,211 a------- c:\windows\system32\BIN_STRSBW.SPT
2009-03-24 20:30 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-03-24 20:30 <DIR> --d----- c:\users\tennant\appdata\roaming\Spyware Terminator
2009-03-24 20:30 <DIR> --d----- c:\programdata\Spyware Terminator
2009-03-24 20:30 <DIR> --d----- c:\program files\Spyware Terminator
2009-03-24 20:30 <DIR> --d----- c:\progra~2\Spyware Terminator
2009-03-20 22:50 4 a------- c:\windows\system32\gaopdxcounter

==================== Find3M ====================

2009-03-27 18:59 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-27 18:59 86,016 a------- c:\windows\inf\infstor.dat
2009-03-27 18:59 51,200 a------- c:\windows\inf\infpub.dat
2009-03-07 15:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-08 22:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-15 01:11 827,392 a------- c:\windows\system32\wininet.dll
2008-06-13 03:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-09 21:32 174 a--sh--- c:\program files\desktop.ini
2007-09-10 18:34 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2007-09-10 18:34 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2007-09-10 18:34 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2007-09-10 18:34 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-12 10:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-12 10:33 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-12 10:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:02:00.64 ===============

Attached Files



#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:47 PM

Posted 14 April 2009 - 05:15 AM

Hello, slyblackdragon

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Please describe for me any symptom(s) you are having now as it will help me identify your infection. I do not see anything malicious in your log. Let's perform an online scan:

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 slyblackdragon

slyblackdragon
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 16 April 2009 - 09:24 AM

Just as an update I will be away from the computer again for a few days.

As far as symptoms go, right now it seems to be running O.K. The reason I wanted to post a log was because it was infected with a few Trojan Viruses and tons of spyware/malware. I just wanted to make sure I go them all.

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:47 PM

Posted 16 April 2009 - 10:37 AM

Ok, well your logs do look clean. We will confirm this when the scan comes back :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 slyblackdragon

slyblackdragon
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 17 April 2009 - 08:07 PM

looks like I am unable to connect to the eset website, any ideas?

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:47 PM

Posted 18 April 2009 - 06:02 AM

Let's try a different scanner:

Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 slyblackdragon

slyblackdragon
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 20 April 2009 - 07:39 PM

It fails during the update for some reason, I really hate computers

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:47 PM

Posted 21 April 2009 - 10:21 AM

Hello, looks like this could be malware related afterall:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 slyblackdragon

slyblackdragon
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 22 April 2009 - 10:52 PM

ComboFix 09-04-23.02 - Tennant 04/22/2009 22:37.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.880 [GMT -5:00]
Running from: c:\users\Tennant\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\programdata\SeekmoSA
c:\programdata\SeekmoSA\SeekmoSA.dat
c:\programdata\SeekmoSA\SeekmoSA_kyf.dat
c:\programdata\SeekmoSA\SeekmoSAAbout.mht
c:\programdata\SeekmoSA\SeekmoSAau.dat
c:\programdata\SeekmoSA\SeekmoSAEULA.mht
c:\programdata\ZangoSA
c:\programdata\ZangoSA\ZangoSA.dat
c:\programdata\ZangoSA\ZangoSA_kyf.dat
c:\programdata\ZangoSA\ZangoSAAbout.mht
c:\programdata\ZangoSA\ZangoSAau.dat
c:\programdata\ZangoSA\ZangoSAEula.mht
c:\users\Tennant\AppData\Roaming\Seekmo
c:\users\Tennant\AppData\Roaming\WeatherDPA
c:\users\Tennant\AppData\Roaming\WeatherDPA\Weather\WeatherStartup.xml
c:\users\Tennant\AppData\Roaming\Zango
c:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((( Files Created from 2009-03-23 to 2009-04-23 )))))))))))))))))))))))))))))))
.

2009-04-14 06:08 . 2009-04-14 06:08 -------- d-----w c:\users\Tennant\AppData\Roaming\Graboid Inc
2009-04-10 20:12 . 2009-04-10 20:12 -------- d-----w c:\users\All Users\Electronic Arts
2009-04-10 20:12 . 2009-04-10 20:12 -------- d-----w c:\programdata\Electronic Arts
2009-04-08 04:58 . 2009-04-10 04:30 -------- d-----w c:\users\Tennant\AppData\Roaming\vlc
2009-04-08 03:30 . 2009-04-08 03:30 -------- d-----w c:\users\Tennant\AppData\Local\Graboid_Inc
2009-04-08 03:30 . 2009-04-08 04:18 -------- d-----w c:\users\Tennant\AppData\Local\Graboid
2009-04-08 03:30 . 2009-04-08 03:31 -------- d-----w c:\users\Tennant\AppData\Roaming\MozillaControl
2009-03-28 00:10 . 2009-03-28 00:10 -------- d-----w c:\users\Tennant\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-25 16:34 . 2009-02-05 20:06 51792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-03-25 15:31 . 2009-03-25 16:13 -------- d-----w c:\users\All Users\NOS
2009-03-25 15:31 . 2009-03-25 16:13 -------- d-----w c:\programdata\NOS
2009-03-25 01:58 . 2009-03-25 19:49 1211 ----a-w c:\windows\system32\BIN_STRSBW.SPT
2009-03-25 01:30 . 2009-03-25 01:30 142592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-03-25 01:30 . 2009-04-19 18:00 -------- d-----w c:\users\Tennant\AppData\Roaming\Spyware Terminator
2009-03-25 01:30 . 2009-04-12 05:05 -------- d-----w c:\users\All Users\Spyware Terminator
2009-03-25 01:30 . 2009-04-12 05:05 -------- d-----w c:\programdata\Spyware Terminator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 01:39 . 2009-04-10 20:11 -------- d-----w c:\program files\Electronic Arts
2009-04-18 04:20 . 2009-03-25 14:07 -------- d-----w c:\program files\Crawler
2009-04-14 06:12 . 2009-04-08 03:19 -------- d-----w c:\program files\Graboid
2009-04-14 06:11 . 2009-04-08 03:20 -------- d-----w c:\program files\Mozilla ActiveX Control v1.7.12
2009-04-14 06:04 . 2008-02-12 23:43 -------- d-----w c:\users\Tennant\AppData\Roaming\LimeWire
2009-04-12 16:20 . 2009-03-25 01:30 -------- d-----w c:\program files\Spyware Terminator
2009-04-08 03:19 . 2009-04-08 03:19 -------- d-----w c:\program files\VideoLAN
2009-03-31 02:45 . 2009-03-31 02:45 -------- d-----w c:\program files\HP
2009-03-30 17:10 . 2008-02-12 23:58 -------- d-----w c:\program files\Common Files\AOL
2009-03-27 23:59 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-03-27 23:59 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-03-27 23:59 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-03-27 23:59 . 2008-02-12 22:31 -------- d--ha-w c:\programdata\GTek
2009-03-27 23:55 . 2007-12-29 06:34 -------- d-----w c:\program files\CyberLink
2009-03-27 23:55 . 2007-09-03 09:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-27 23:54 . 2008-02-12 23:59 -------- d-----w c:\programdata\Viewpoint
2009-03-27 23:26 . 2008-07-08 23:46 -------- d-----w c:\programdata\Yahoo!
2009-03-27 23:26 . 2008-07-08 23:45 -------- d-----w c:\users\Tennant\AppData\Roaming\Yahoo!
2009-03-25 19:49 . 2009-03-25 19:49 -------- d-----w c:\program files\CCleaner
2009-03-25 16:34 . 2009-03-25 16:34 -------- d-----w c:\program files\Alwil Software
2009-03-25 16:12 . 2009-03-25 15:31 -------- d-----w c:\program files\NOS
2009-03-25 15:47 . 2008-02-12 21:30 -------- d-----w c:\program files\Yahoo!
2009-03-25 15:47 . 2008-03-29 04:29 -------- d-----w c:\program files\MySpace
2009-03-25 15:36 . 2009-03-25 15:36 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-25 15:35 . 2009-03-25 15:35 -------- d-----w c:\program files\Common Files\Adobe
2009-03-25 01:59 . 2009-03-25 01:59 -------- d-----w c:\program files\AVG
2009-03-11 08:06 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-07 21:18 . 2009-03-07 21:14 -------- d-----w c:\users\Tennant\AppData\Roaming\U3
2009-03-07 20:30 . 2009-02-11 17:44 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-07 20:30 . 2008-02-12 23:42 -------- d-----w c:\program files\Java
2009-03-06 06:32 . 2009-03-06 06:32 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-06 06:31 . 2008-02-12 23:41 -------- d-----w c:\program files\Google
2009-03-06 06:31 . 2009-03-06 06:31 -------- d-----w c:\program files\LimeWire
2009-03-06 06:22 . 2008-02-12 23:58 794 ---ha-w C:\IPH.PH
2009-03-06 06:22 . 2009-03-06 06:22 -------- d-----w c:\program files\AIM Toolbar
2009-03-06 06:22 . 2009-03-06 06:22 -------- d-----w c:\programdata\AIM Toolbar
2009-03-04 08:29 . 2009-03-04 08:28 -------- d-----w c:\users\Tennant\AppData\Roaming\Walgreens
2009-02-09 03:10 . 2009-03-10 21:31 2033152 ----a-w c:\windows\System32\win32k.sys
2008-06-10 02:32 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-02-12 21:30 . 2008-02-12 21:30 99864 ----a-w c:\users\Tennant\AppData\Local\GDIPFONTCACHEV1.DAT
2008-10-12 15:33 . 2008-02-14 00:09 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-10-12 15:33 . 2008-02-14 00:09 32768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-10-12 15:33 . 2008-02-14 00:09 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"InstaLAN"="c:\program files\Charter\InstaLAN\InstaLAN.exe" [2007-02-18 548864]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-03-25 2176000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-17 4702208]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-08-03 1826816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C47B3165-48C5-4CC3-8030-FB6F8C0AC465}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{EC819757-ACB5-4D4D-9DB0-57EC63A29B1A}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{443E868E-8E6E-4393-A6AD-32D8922D36A7}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2BEC5318-C8D4-45DD-B14E-DD8B2010F551}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{37DED03E-81AB-44F9-A3C8-BB452FD98DD2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{DD1D9330-F6F1-4332-AC86-99004578B804}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{7673E9A4-A9F0-4CD4-B650-BC4AE0AB1C99}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{DC0C3652-140B-4458-8FA0-95BC85C311E7}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{975344AE-0657-4A41-B604-C7AB190C0EC1}"= TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{2DD6EE0C-E5A3-410F-BEC4-9E3E3BAC3D1B}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2CDFE43C-D54C-4EF6-A5EB-2F877B1ECB2D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{E8F40829-E774-41AC-A198-487C8E21B658}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{42195AF7-AC5D-440D-B057-59E5E947929A}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{EF4D7BA7-4958-4F98-ABA9-714540CAE2A7}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9DC2A96A-56A4-4C3D-B5DA-A6F8BD066010}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{D5864B15-C5B7-46B3-8E19-0F96E5F43D8D}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{461A59A8-DF36-4B99-AEFB-FA578F01922F}"= UDP:c:\program files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{C3621C0E-D599-4D65-BE03-A1AF1B2F0743}"= TCP:c:\program files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{62C03DC8-0AD5-410F-B665-C30F1A38F2E6}"= UDP:c:\program files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{5EA6FED0-A94C-4CC0-A13B-7D8275620041}"= TCP:c:\program files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{D3E10640-7DE5-4E90-B230-5E795388AD84}"= UDP:c:\program files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{D6CA1A92-51FC-47D3-AA48-AC3A49F06139}"= TCP:c:\program files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{7A4E4858-E9EF-4095-A296-03A8EEFEDF2F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0FCEC65D-9609-42BA-A026-96EF0F0CB23F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{21BB48E9-A93E-4B8E-B736-0FCA23E80FC5}"= UDP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"{6E91F820-A735-490D-8482-85B75CABCD6C}"= TCP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"{CBCF717F-3F7B-418B-BD1C-C1B099855EBF}"= UDP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface
"{DEDEDFF8-F171-4ADB-BFFB-1DCBAA08B151}"= TCP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-02 35712]
S1 aswSP;avast! Self Protection; [x]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-03-25 142592]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{442dbc63-0ae2-11de-91ae-000000000000}]
\shell\AutoRun\command - wscript.exe \SMRTNTKY\script.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{442dbc66-0ae2-11de-91ae-000000000000}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: AutorunsDisabled\tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll
FF - ProfilePath - c:\users\Tennant\AppData\Roaming\Mozilla\Firefox\Profiles\ehye6h1b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\users\Tennant\AppData\Roaming\Mozilla\Firefox\Profiles\ehye6h1b.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 22:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-04-23 22:43
ComboFix-quarantined-files.txt 2009-04-23 03:43

Pre-Run: 37,009,641,472 bytes free
Post-Run: 36,671,348,736 bytes free

224 --- E O F --- 2009-03-19 20:29

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:47 PM

Posted 23 April 2009 - 10:57 AM

Hello,

A question before we proceed, I am seeing some sort of restrictions in place for all users except one, did you place them there?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 slyblackdragon

slyblackdragon
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 26 April 2009 - 09:55 PM

I don't believe so. This isn't my laptop, but my girlfriend said she did not put in any restrictions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users