Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijack/search redirects.


  • This topic is locked This topic is locked
16 replies to this topic

#1 Dalrint

Dalrint

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 19 June 2009 - 02:18 PM

So in the last week or so I have found my google links (on any search) redirecting to random sites, and always going through 'googlesearchengine.net' first. So. Browser hijack.

Ran my virus scanner (avast) and found nothing, did spybot and adaware, then finally gave in and ran combofix. While they all cleaned little things (apparently I had virtumonde on here, huh.) I am still getting the browser hijacks.

I have a hijackthis log and a combofix log.

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:39 PM, on 6/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\AOL\1226687932\ee\AOLSoftware.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Documents and Settings\hp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1226687932\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\hp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10130 bytes



Combofix Log:


ComboFix 09-06-18.02 - hp 06/19/2009 15:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1441 [GMT -4:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090618-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 17:58 . 2009-06-19 17:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-19 17:48 . 2009-06-19 17:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-19 17:48 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-19 17:48 . 2009-06-19 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-19 17:48 . 2009-06-19 17:48 -------- d-----w- c:\program files\Lavasoft
2009-06-19 16:56 . 2009-06-19 16:56 -------- d-----w- c:\documents and settings\hp\Application Data\Malwarebytes
2009-06-19 16:56 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 16:56 . 2009-06-19 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 16:56 . 2009-06-19 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 16:56 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 05:51 . 2009-06-18 05:51 2198510 ----a-w- c:\documents and settings\hp\Application Data\EVEMon\EVEMon-install-1.2.8.1385.exe
2009-06-18 05:09 . 2009-06-18 05:09 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Wildtangent
2009-06-18 05:09 . 2009-06-18 05:10 -------- d-----w- c:\windows\wt
2009-06-17 21:29 . 2009-06-17 21:29 -------- d-----w- c:\documents and settings\hp\Application Data\SpinTop Games
2009-06-17 14:59 . 2009-06-17 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-17 07:12 . 2009-06-17 07:12 737280 ----a-w- c:\windows\iun6002.exe
2009-06-17 07:11 . 2009-06-17 07:11 0 ----a-w- c:\windows\popcinfo.dat
2009-06-17 06:54 . 2009-06-17 07:12 -------- d-----w- c:\program files\PopCap Games
2009-06-17 06:47 . 2009-06-19 18:37 41 ----a-w- c:\windows\popcinfot.dat
2009-06-17 06:26 . 2009-06-17 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-06-15 19:04 . 2009-06-15 19:04 -------- d-----w- c:\temp\MTGOInstall
2009-06-15 19:04 . 2009-06-15 19:04 -------- d-----w- C:\Temp
2009-06-15 19:01 . 2009-06-15 19:05 -------- d-----w- c:\documents and settings\hp\Application Data\Wizards of the Coast
2009-06-14 10:11 . 2009-06-14 10:11 40960 --sh--w- c:\documents and settings\hp\Application Data\Microsoft\Windows\ms64.exe
2009-06-04 17:05 . 2009-06-04 17:05 -------- d-----w- c:\program files\iPod
2009-06-04 17:05 . 2009-06-04 17:05 -------- d-----w- c:\program files\iTunes
2009-06-04 17:05 . 2009-06-04 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 17:03 . 2009-06-04 17:04 -------- d-----w- c:\program files\QuickTime
2009-06-04 17:01 . 2009-06-04 17:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 17:00 . 2009-06-04 17:00 -------- d-----w- c:\program files\Bonjour
2009-05-30 00:50 . 2009-05-30 00:50 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Ascaron Entertainment
2009-05-30 00:50 . 2009-05-30 00:50 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-30 00:44 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-05-30 00:44 . 2009-05-30 00:44 -------- d-----w- c:\windows\Logs
2009-05-30 00:44 . 2009-05-30 00:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-30 00:44 . 2009-05-30 00:44 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-05-30 00:41 . 2009-05-30 00:41 -------- d-----w- c:\windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2009-05-29 23:57 . 2009-05-29 23:57 -------- d-----w- c:\documents and settings\hp\Application Data\Motive
2009-05-29 23:56 . 2009-05-29 23:57 -------- d-----w- c:\program files\Common Files\Motive
2009-05-29 23:56 . 2009-05-30 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-05-29 23:55 . 2009-05-29 23:55 29696 ----a-r- c:\documents and settings\hp\Application Data\Microsoft\Installer\{BBB08B2B-F1F7-43BF-803F-AA3AA807E9FF}\IconF0CEFCC9.exe
2009-05-29 22:27 . 2009-05-30 00:03 -------- d-----w- c:\program files\verizon
2009-05-24 21:28 . 2009-06-06 21:30 -------- d-----w- c:\documents and settings\hp\Application Data\foobar2000
2009-05-24 21:27 . 2009-05-24 21:33 -------- d-----w- c:\program files\foobar2000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 18:00 . 2008-11-15 05:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-19 18:00 . 2008-11-15 05:06 -------- d-----w- c:\program files\SpywareBlaster
2009-06-19 17:17 . 2008-12-26 23:52 -------- d-----w- c:\program files\Steam
2009-06-19 16:05 . 2008-11-14 18:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-19 03:43 . 2009-04-10 15:07 -------- d-----w- c:\documents and settings\hp\Application Data\EVEMon
2009-06-18 17:29 . 2008-11-14 18:04 -------- d-----w- c:\program files\AIM6
2009-06-18 17:27 . 2008-11-14 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-18 05:51 . 2009-04-10 15:07 -------- d-----w- c:\program files\EVEMon
2009-06-18 05:10 . 2007-10-30 00:12 -------- d-----w- c:\program files\WildTangent
2009-06-18 00:45 . 2009-01-20 19:52 -------- d-----w- c:\documents and settings\hp\Application Data\Azureus
2009-06-15 19:01 . 2007-10-29 22:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-06 21:45 . 2008-11-14 22:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-04 17:05 . 2008-12-22 20:31 -------- d-----w- c:\program files\Common Files\Apple
2009-06-04 04:53 . 2009-02-17 02:58 -------- d-----w- c:\documents and settings\hp\Application Data\mIRC
2009-06-04 04:45 . 2009-02-17 02:58 -------- d-----w- c:\program files\mIRC
2009-06-03 20:54 . 2009-03-15 18:08 -------- d-----w- c:\documents and settings\hp\Application Data\Rominator Data
2009-05-30 16:00 . 2007-10-29 23:50 64296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 00:41 . 2009-01-11 05:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-20 15:57 . 2008-11-14 18:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-19 22:33 . 2009-05-19 22:33 103720 ----a-w- c:\documents and settings\hp\GoToAssistDownloadHelper.exe
2009-05-19 19:48 . 2009-05-19 19:48 -------- d-----w- c:\program files\Trend Micro
2009-05-19 18:32 . 2009-05-19 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-19 05:36 . 2009-06-18 17:27 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-18 17:27 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-18 17:27 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-18 17:27 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-18 17:27 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-18 17:27 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-18 17:27 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-18 17:27 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-13 13:18 . 2009-04-22 17:30 77312 ----a-w- c:\windows\DEVCON.EXE
2009-05-07 15:32 . 2004-08-05 04:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 07:00 . 2009-05-06 07:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-05 18:26 . 2008-11-26 17:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-05 16:03 . 2009-05-05 16:03 -------- d-----w- c:\program files\Microsoft
2009-05-05 16:03 . 2009-05-05 16:02 -------- d-----w- c:\program files\Windows Live
2009-05-05 16:03 . 2009-05-05 16:03 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-05 16:01 . 2009-05-05 16:01 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-02 21:58 . 2009-04-26 02:03 -------- d-----w- c:\program files\PC Video Converter Studio
2009-04-29 04:46 . 2004-08-05 04:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-05 04:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 02:46 . 2009-04-26 02:46 -------- d-----w- c:\program files\Xvid
2009-04-26 02:44 . 2008-12-05 04:16 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-04-26 02:18 . 2009-04-26 02:18 -------- d-----w- c:\program files\Common Files\Common Share
2009-04-26 02:13 . 2009-04-26 02:11 -------- d-----w- c:\documents and settings\hp\Application Data\GetRightToGo
2009-04-26 02:09 . 2009-04-26 02:03 -------- d-----w- c:\program files\Common Files\Program4Pc
2009-04-21 14:45 . 2009-04-21 14:45 -------- d-----w- c:\program files\Alwil Software
2009-04-17 12:26 . 2004-08-05 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-05 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-22 05:55 . 2009-03-22 05:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-22 05:54 . 2009-03-22 05:54 152576 ----a-w- c:\documents and settings\hp\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-14 4608]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-11-06 50472]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\hp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-19 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 136600]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"HostManager"="c:\program files\Common Files\AOL\1226687932\ee\AOLSoftware.exe" [2008-06-24 41824]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-19 518488]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-16 1519616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1226687932\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\dalrint\\space empires iv deluxe\\se4\\Se4.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\World of Warcraft\\Interface\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spaceempiresv\\SE5\\SE5.exe"=
"d:\\Games\\Dungeon Siege II\\DungeonSiege2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/21/2009 10:46 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/21/2009 10:46 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/14/2008 2:05 PM 24652]
S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/19/2009 1:50 PM 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1003344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LAVASOFT_AD-AWARE_SERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:50]

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1423389278-3132741993-1549181365-1005.job
- c:\documents and settings\hp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 15:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????c??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-19 15:13
ComboFix-quarantined-files.txt 2009-06-19 19:13
ComboFix2.txt 2009-06-19 18:59

Pre-Run: 10,627,436,544 bytes free
Post-Run: 10,598,739,968 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
245 --- E O F --- 2009-06-11 07:06

BC AdBot (Login to Remove)

 


m

#2 Dalrint

Dalrint
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 21 June 2009 - 08:25 PM

I don't know if I'm allowed to bump this, but nothing I've tried is fixing my computer, and it's getting really irritating now. and I don't trust it enough to do my banking on it at the moment (which will be a problem in a few days). And it's been two days since I posted this.

So, uhm. Help, please? It doesn't seem to be getting any worse, but Nothing I've scanned has come up with anything.
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 22 June 2009 - 12:07 AM.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,671 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 PM

Posted 23 June 2009 - 05:29 PM

Hi Dalrint,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it (if present):

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.

  • Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.


#4 Dalrint

Dalrint
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 June 2009 - 01:14 AM

Okay, did the uninstalls and cleaned off the bits of Norton and ran gorefix.

Here's the log:

GooredFix v1.92 by jpshortstuff
Log created at 02:10 on 24/06/2009 running Option #1 (hp)
Firefox version 3.0.11 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"bkmrksync@nokia.com"="C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\"

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,671 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 PM

Posted 24 June 2009 - 01:20 AM

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

Edited by farbar, 24 June 2009 - 01:20 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,671 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 PM

Posted 24 June 2009 - 01:27 AM

Please do the step 3 from previous post too.

#7 Dalrint

Dalrint
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 June 2009 - 01:30 AM

Oh woops! I overlooked step three entirely. Sorry about this.

Here's the add-remove list:

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
AIM 6
AiO_Scan_CDA
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Bonjour
Bookworm Adventures Deluxe 1.0
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
CDisplay 1.8
Choice Guard
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Curse Client
Destinations
DeviceManagementQFolder
Diablo II
Dungeon Siege 2
Dungeon Siege 2 Broken World
Escape Rosecliff Island 1.00
EVE Online (remove only)
EVEMon
FATE
foobar2000 v0.9.6.7
Free PDF to Word Doc Converter v1.1
FullDPAppQFolder
GameTap
Google Chrome
Google Talk (remove only)
HDAUDIO Soft Data Fax Modem with SmartCP
Heroes of Might & Magic V: Hammers of Fate
Heroes of Might and Magic V - Tribes of the East
Heroes of Might and Magic V Collector Edition
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Help and Support
HP Imaging Device Functions 6.0
HP Integrated Module with Bluetooth wireless technology
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 6.1.A
HP Quick Launch Buttons 6.00 E2
HP QuickPlay 2.1
HP Update
HP User Guides--System Recovery
HP User Guides 0011
HP Wireless Assistant 2.00 E1
HpSdpAppCoreApp
Insaniquarium Patch Installer 1.2
InstantShareDevices
Intel® PRO Network Connections Drivers
iTunes
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 11
K-Lite Codec Pack 4.3.4 (Standard)
LightScribe 1.4.74.1
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Magic Online III
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft VC9 runtime libraries
mIRC
Mobile Xtreme-G 177.92 XP 32bit
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (2.0.0.21)
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB954430)
NetWaiting
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Drivers
NVIDIA PhysX v8.11.18
Office 2003 Trial Assistant
OptionalContentQFolder
PC Connectivity Solution
PhotoGallery
Plants Vs Zombies Demo
PSP ISO Compressor
QuickTime
RandMap
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Segoe UI
SkinsHP1
SmartAudio
Sonic_PrimoSDK
Space Empires IV Deluxe
Space Empires V
Spore
Spybot - Search & Destroy
SpywareBlaster 4.2
Steam
Synaptics Pointing Device Driver
TeamSpeak 2 RC2
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TourSetup
Uninstall AOL Emergency Connect Utility 1.0
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Ventrilo Client
Verizon FiOS Connection Wizard
Verizon Help and Support Tool
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vongo
Vuze
WebFldrs XP
WildTangent Web Driver
Windows Driver Package - Nokia Modem (10/27/2008 3.9)
Windows Driver Package - Nokia Modem (10/27/2008 7.01.0.1)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
Wireless Home Network Setup
Woofy 0.5
World of Warcraft
Xvid 1.2.1 final uninstall



And here's the log from the cmd prompt:



Windows IP Configuration



Host Name . . . . . . . . . . . . : Pandora

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : home



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection

Physical Address. . . . . . . . . : 00-13-02-60-AA-FA

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Wednesday, June 24, 2009 2:05:30 AM

Lease Expires . . . . . . . . . . : Thursday, June 25, 2009 2:05:30 AM

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.127.100, 74.125.67.100, 74.125.45.100



Pinging google.com [74.125.127.100] with 32 bytes of data:



Reply from 74.125.127.100: bytes=32 time=103ms TTL=231

Reply from 74.125.127.100: bytes=32 time=102ms TTL=231



Ping statistics for 74.125.127.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 102ms, Maximum = 103ms, Average = 102ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 02 60 aa fa ...... Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.3 192.168.1.3 20
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 25
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 25
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 25
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,671 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 PM

Posted 24 June 2009 - 03:33 AM

  • Please disable Ad-Watch as instructed here:
    http://www.lavasoftsupport.com/index.php?showtopic=19804
    You may enable Ad-Watch again when the issue is resolved.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please delete your ComboFix from the desktop and download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Go to start > Run copy/paste the following line in the run box and click OK after each line.

    cmd /c notepad C:\windows\system32\drivers\etc\hosts

    A text file opens. Please post its content to your reply.

  • Tell me also if redirection occurs in both Internet Explorer and Firefox.
Please include in your next reply:
  • The log of MBAM.
  • The ComboFix log.
  • The content of hosts.
  • Feedback about the redirection.


#9 Dalrint

Dalrint
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 June 2009 - 09:55 AM

Okay. Let's see now. First off, I tried it in IE as well as firefox. It's still redirecting in Firefox, it is not doing it in IE. I don't know if it ever did, I don't really use IE.

MBAM Log:

Malwarebytes' Anti-Malware 1.38
Database version: 2329
Windows 5.1.2600 Service Pack 3

6/24/2009 10:37:23 AM
mbam-log-2009-06-24 (10-37-23).txt

Scan type: Quick Scan
Objects scanned: 69652
Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Combofix Log:


ComboFix 09-06-23.01 - hp 06/24/2009 10:43.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1441 [GMT -4:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090623-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-24 10:58 . 2009-06-24 10:58 152576 ----a-w- c:\documents and settings\hp\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-24 06:03 . 2009-06-24 06:03 -------- d-----w- c:\documents and settings\hp\Application Data\Viewpoint
2009-06-24 05:12 . 2009-06-24 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-22 01:18 . 2009-06-22 01:18 -------- d-----w- c:\documents and settings\hp\Application Data\ZoomBrowser EX
2009-06-22 01:14 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-22 01:14 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-22 01:12 . 2009-06-22 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-06-22 01:12 . 2009-06-22 01:13 -------- d-----w- c:\program files\Canon
2009-06-22 01:10 . 2009-06-22 01:10 -------- d-----w- c:\program files\Common Files\Canon
2009-06-19 17:58 . 2009-06-19 17:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-19 17:48 . 2009-06-19 17:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-19 17:48 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-19 17:48 . 2009-06-19 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-19 17:48 . 2009-06-19 17:48 -------- d-----w- c:\program files\Lavasoft
2009-06-19 16:56 . 2009-06-19 16:56 -------- d-----w- c:\documents and settings\hp\Application Data\Malwarebytes
2009-06-19 16:56 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 16:56 . 2009-06-19 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 16:56 . 2009-06-19 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 16:56 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 05:51 . 2009-06-18 05:51 2198510 ----a-w- c:\documents and settings\hp\Application Data\EVEMon\EVEMon-install-1.2.8.1385.exe
2009-06-18 05:09 . 2009-06-18 05:09 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Wildtangent
2009-06-18 05:09 . 2009-06-18 05:10 -------- d-----w- c:\windows\wt
2009-06-17 21:29 . 2009-06-17 21:29 -------- d-----w- c:\documents and settings\hp\Application Data\SpinTop Games
2009-06-17 14:59 . 2009-06-17 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-17 07:12 . 2009-06-17 07:12 737280 ----a-w- c:\windows\iun6002.exe
2009-06-17 07:11 . 2009-06-17 07:11 0 ----a-w- c:\windows\popcinfo.dat
2009-06-17 06:54 . 2009-06-17 07:12 -------- d-----w- c:\program files\PopCap Games
2009-06-17 06:47 . 2009-06-22 02:03 41 ----a-w- c:\windows\popcinfot.dat
2009-06-17 06:26 . 2009-06-17 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-06-15 19:04 . 2009-06-15 19:04 -------- d-----w- c:\temp\MTGOInstall
2009-06-15 19:04 . 2009-06-15 19:04 -------- d-----w- C:\Temp
2009-06-15 19:01 . 2009-06-15 19:05 -------- d-----w- c:\documents and settings\hp\Application Data\Wizards of the Coast
2009-06-14 10:11 . 2009-06-14 10:11 40960 --sh--w- c:\documents and settings\hp\Application Data\Microsoft\Windows\ms64.exe
2009-06-04 17:05 . 2009-06-04 17:05 -------- d-----w- c:\program files\iPod
2009-06-04 17:05 . 2009-06-04 17:05 -------- d-----w- c:\program files\iTunes
2009-06-04 17:05 . 2009-06-04 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 17:03 . 2009-06-04 17:04 -------- d-----w- c:\program files\QuickTime
2009-06-04 17:01 . 2009-06-04 17:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 17:00 . 2009-06-04 17:00 -------- d-----w- c:\program files\Bonjour
2009-05-30 00:50 . 2009-05-30 00:50 -------- d-----w- c:\documents and settings\hp\Local Settings\Application Data\Ascaron Entertainment
2009-05-30 00:50 . 2009-05-30 00:50 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-30 00:44 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-05-30 00:44 . 2009-05-30 00:44 -------- d-----w- c:\windows\Logs
2009-05-30 00:44 . 2009-05-30 00:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-30 00:44 . 2009-05-30 00:44 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-05-30 00:41 . 2009-05-30 00:41 -------- d-----w- c:\windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2009-05-29 23:57 . 2009-05-29 23:57 -------- d-----w- c:\documents and settings\hp\Application Data\Motive
2009-05-29 23:56 . 2009-05-29 23:57 -------- d-----w- c:\program files\Common Files\Motive
2009-05-29 23:56 . 2009-05-30 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-05-29 23:55 . 2009-05-29 23:55 29696 ----a-r- c:\documents and settings\hp\Application Data\Microsoft\Installer\{BBB08B2B-F1F7-43BF-803F-AA3AA807E9FF}\IconF0CEFCC9.exe
2009-05-29 22:27 . 2009-05-30 00:03 -------- d-----w- c:\program files\verizon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 13:16 . 2007-10-29 22:44 -------- d-----w- c:\program files\Java
2009-06-24 06:37 . 2008-11-14 18:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-24 06:09 . 2008-12-26 23:52 -------- d-----w- c:\program files\Steam
2009-06-24 05:14 . 2007-10-30 00:16 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-24 05:04 . 2008-11-14 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-24 05:03 . 2008-11-14 18:05 -------- d-----w- c:\program files\Viewpoint
2009-06-22 18:54 . 2008-11-15 05:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 18:54 . 2008-11-15 05:06 -------- d-----w- c:\program files\SpywareBlaster
2009-06-22 14:38 . 2009-01-20 19:52 -------- d-----w- c:\documents and settings\hp\Application Data\Azureus
2009-06-22 03:10 . 2009-04-10 15:07 -------- d-----w- c:\documents and settings\hp\Application Data\EVEMon
2009-06-18 17:29 . 2008-11-14 18:04 -------- d-----w- c:\program files\AIM6
2009-06-18 17:27 . 2008-11-14 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-18 05:51 . 2009-04-10 15:07 -------- d-----w- c:\program files\EVEMon
2009-06-18 05:10 . 2007-10-30 00:12 -------- d-----w- c:\program files\WildTangent
2009-06-15 19:01 . 2007-10-29 22:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-06 21:45 . 2008-11-14 22:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-06 21:30 . 2009-05-24 21:28 -------- d-----w- c:\documents and settings\hp\Application Data\foobar2000
2009-06-04 17:05 . 2008-12-22 20:31 -------- d-----w- c:\program files\Common Files\Apple
2009-06-04 04:53 . 2009-02-17 02:58 -------- d-----w- c:\documents and settings\hp\Application Data\mIRC
2009-06-04 04:45 . 2009-02-17 02:58 -------- d-----w- c:\program files\mIRC
2009-06-03 20:54 . 2009-03-15 18:08 -------- d-----w- c:\documents and settings\hp\Application Data\Rominator Data
2009-05-30 16:00 . 2007-10-29 23:50 64296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 00:41 . 2009-01-11 05:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-24 21:33 . 2009-05-24 21:27 -------- d-----w- c:\program files\foobar2000
2009-05-20 15:57 . 2008-11-14 18:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-19 22:33 . 2009-05-19 22:33 103720 ----a-w- c:\documents and settings\hp\GoToAssistDownloadHelper.exe
2009-05-19 19:48 . 2009-05-19 19:48 -------- d-----w- c:\program files\Trend Micro
2009-05-19 18:32 . 2009-05-19 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-19 05:36 . 2009-06-18 17:27 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-18 17:27 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-18 17:27 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-18 17:27 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-18 17:27 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-18 17:27 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-18 17:27 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-18 17:27 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-13 13:18 . 2009-04-22 17:30 77312 ----a-w- c:\windows\DEVCON.EXE
2009-05-07 15:32 . 2004-08-05 04:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 07:00 . 2009-05-06 07:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-05 18:26 . 2008-11-26 17:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-05 16:03 . 2009-05-05 16:03 -------- d-----w- c:\program files\Microsoft
2009-05-05 16:03 . 2009-05-05 16:02 -------- d-----w- c:\program files\Windows Live
2009-05-05 16:03 . 2009-05-05 16:03 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-05 16:01 . 2009-05-05 16:01 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-02 21:58 . 2009-04-26 02:03 -------- d-----w- c:\program files\PC Video Converter Studio
2009-04-29 04:46 . 2004-08-05 04:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-05 04:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 02:46 . 2009-04-26 02:46 -------- d-----w- c:\program files\Xvid
2009-04-26 02:44 . 2008-12-05 04:16 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-04-26 02:18 . 2009-04-26 02:18 -------- d-----w- c:\program files\Common Files\Common Share
2009-04-26 02:13 . 2009-04-26 02:11 -------- d-----w- c:\documents and settings\hp\Application Data\GetRightToGo
2009-04-26 02:09 . 2009-04-26 02:03 -------- d-----w- c:\program files\Common Files\Program4Pc
2009-04-17 12:26 . 2004-08-05 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-05 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2004-08-05 04:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[7] 2004-08-05 04:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[7] 2004-08-05 04:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-07-03 17:09 659456 6E533D155B259EB2363D3E04B5BE309F c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2006-01-09 18:02 662016 DDE9597A3311748C1519444E2BC147BD c:\windows\$hf_mig$\KB912945\SP2QFE\wininet.dll
[7] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\$hf_mig$\KB956390\SP2QFE\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
[7] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[7] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[7] 2009-02-20 07:50 667648 711FEABED387B29FF7ED61BC6806A06C c:\windows\$hf_mig$\KB963027\SP3QFE\wininet.dll
[7] 2009-04-29 04:21 668160 04BCB4F87B35502568F6CF33433543A5 c:\windows\$hf_mig$\KB969897\SP3QFE\wininet.dll
[7] 2008-08-20 05:38 659456 87E694D09893978F22024FEEEDF35342 c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2004-08-05 04:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB896727$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB956390$\wininet.dll
[-] 2006-01-09 18:08 658432 D9E3F8440D208698B3F0E5CFAC26DAA1 c:\windows\$NtUninstallKB956390_0$\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$NtUninstallKB958215$\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$NtUninstallKB963027$\wininet.dll
[7] 2009-02-20 08:10 666112 5B6A3EB7BB2F338BC2CB9F2FA4AAEA9E c:\windows\$NtUninstallKB969897$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\system32\wininet.dll
[7] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\system32\dllcache\wininet.dll

[-] 2005-05-26 10:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-14 08:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2006-01-13 17:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-05 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-26 10:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-05 04:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2006-01-10 01:01 182528 AA898F84D2B59129FB92E143A2C73434 c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2004-08-05 04:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtUninstallKB912436$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-05 04:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 23:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2020864 501FDE895F35DF1DAE49FD54BBF9D396 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 06:59 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtUninstallKB896256$\ntkrnlpa.exe
[-] 2005-09-28 23:35 2015744 48472D224E1703882B4DE0E28E205E9B c:\windows\$NtUninstallKB909095$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2005-10-11 23:54 2015232 0C691ECAD81707D3A7797512AC932C62 c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-15 00:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:55 2142720 60794EA12961B7341AD54C731B50AE15 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 07:18 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtUninstallKB896256$\ntoskrnl.exe
[-] 2005-09-29 00:02 2136064 25C36DBC46E8EFF2A811769A60715AC5 c:\windows\$NtUninstallKB909095$\ntoskrnl.exe
[7] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2005-10-12 00:18 2136064 C5290E302241594B668A378D89FD903E c:\windows\$NtUninstallKB956841_0$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[7] 2004-08-05 04:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-05 04:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[7] 2004-08-05 04:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[7] 2004-08-05 04:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 15:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-11 14:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-05 04:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[7] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[7] 2004-08-05 04:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[7] 2004-08-05 04:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2004-08-05 04:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[7] 2004-08-05 04:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[7] 2004-08-05 04:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[7] 2004-08-05 04:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[7] 2004-08-05 04:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll

[7] 2004-08-04 21:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-19_18.58.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-24 06:05 . 2009-06-24 06:05 16384 c:\windows\temp\Perflib_Perfdata_5f8.dat
+ 2009-06-24 13:16 . 2009-06-24 13:16 16384 c:\windows\temp\Perflib_Perfdata_11c0.dat
+ 2009-06-24 13:16 . 2009-03-09 09:19 148888 c:\windows\system32\javaws.exe
- 2009-03-22 05:55 . 2009-03-22 05:55 148888 c:\windows\system32\javaws.exe
- 2009-03-22 05:55 . 2009-03-22 05:55 144792 c:\windows\system32\javaw.exe
+ 2009-06-24 13:16 . 2009-03-09 09:19 144792 c:\windows\system32\javaw.exe
- 2009-03-22 05:55 . 2009-03-22 05:55 144792 c:\windows\system32\java.exe
+ 2009-06-24 13:16 . 2009-03-09 09:19 144792 c:\windows\system32\java.exe
+ 2009-03-22 05:55 . 2009-03-09 09:19 410984 c:\windows\system32\deploytk.dll
- 2009-03-22 05:55 . 2009-03-22 05:55 410984 c:\windows\system32\deploytk.dll
- 2007-10-30 02:00 . 2007-10-30 01:22 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2007-10-30 02:00 . 2009-06-24 13:16 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-14 4608]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-11-06 50472]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\hp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-19 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"HostManager"="c:\program files\Common Files\AOL\1226687932\ee\AOLSoftware.exe" [2008-06-24 41824]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-19 518488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-16 1519616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1226687932\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\dalrint\\space empires iv deluxe\\se4\\Se4.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\World of Warcraft\\Interface\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spaceempiresv\\SE5\\SE5.exe"=
"d:\\Games\\Dungeon Siege II\\DungeonSiege2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/19/2009 1:50 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/21/2009 10:46 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/21/2009 10:46 AM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1003344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:50]

2009-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1423389278-3132741993-1549181365-1005.job
- c:\documents and settings\hp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\51qp0s3s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.sluggy.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\hp\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 10:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????c??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-24 10:51
ComboFix-quarantined-files.txt 2009-06-24 14:51
ComboFix2.txt 2009-06-22 16:38
ComboFix3.txt 2009-06-19 19:13
ComboFix4.txt 2009-06-19 18:59

Pre-Run: 10,825,887,744 bytes free
Post-Run: 10,847,801,344 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
400 --- E O F --- 2009-06-11 07:06




Host!!

127.0.0.1 localhost



aaaaaand Java is updated.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,671 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 PM

Posted 24 June 2009 - 10:26 AM

Well done and thanks for the feedback. :thumbup2:

All the logs look good. Let's see if this can catch it:


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


#11 Dalrint

Dalrint
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 June 2009 - 01:23 PM

Okay, here's the log, but it didn't find anything except some tracking cookies. HOWEVER. Google search selections are not being redirected now.

Could all that have really been caused by a tracking cookie?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/24/2009 at 01:50 PM

Application Version : 4.26.1006

Core Rules Database Version : 3953
Trace Rules Database Version: 1895

Scan type : Complete Scan
Total Scan Time : 01:32:42

Memory items scanned : 631
Memory threats detected : 0
Registry items scanned : 6247
Registry threats detected : 0
File items scanned : 111407
File threats detected : 21

Adware.Tracking Cookie
C:\Documents and Settings\hp\Cookies\hp@atdmt[2].txt
C:\Documents and Settings\hp\Cookies\hp@specificmedia[2].txt
C:\Documents and Settings\hp\Cookies\hp@invitemedia[2].txt
C:\Documents and Settings\hp\Cookies\hp@interclick[2].txt
C:\Documents and Settings\hp\Cookies\hp@collective-media[1].txt
C:\Documents and Settings\hp\Cookies\hp@insightexpressai[2].txt
C:\Documents and Settings\hp\Cookies\hp@media6degrees[2].txt
C:\Documents and Settings\hp\Cookies\hp@kontera[2].txt
C:\Documents and Settings\hp\Cookies\hp@at.atwola[1].txt
C:\Documents and Settings\hp\Cookies\hp@adlytics[1].txt
C:\Documents and Settings\hp\Cookies\hp@adserver.adtechus[1].txt
C:\Documents and Settings\hp\Cookies\hp@revsci[1].txt
C:\Documents and Settings\hp\Cookies\hp@cdn.at.atwola[1].txt
C:\Documents and Settings\hp\Cookies\hp@html[2].txt
C:\Documents and Settings\hp\Cookies\hp@hc2.humanclick[1].txt
C:\Documents and Settings\hp\Cookies\hp@19577831[2].txt
C:\Documents and Settings\hp\Cookies\hp@tacoda[1].txt
C:\Documents and Settings\hp\Cookies\hp@a1.interclick[2].txt
C:\Documents and Settings\hp\Cookies\hp@atwola[1].txt
C:\Documents and Settings\hp\Cookies\hp@click[1].txt
C:\Documents and Settings\hp\Cookies\hp@tacoda[2].txt

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,671 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 PM

Posted 24 June 2009 - 02:13 PM

Okay, here's the log, but it didn't find anything except some tracking cookies. HOWEVER. Google search selections are not being redirected now.

I have seen this before, it removes nothing important but the redirection stops. Even on two computers that have nothing in common on the removed log. But what counts is that the job is done.

Could all that have really been caused by a tracking cookie?

I don't think so. The cookies make it easy to facilitate connection from bad sites toward your computer but they are not able to redirect the search engine.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /u

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


Happy Surfing!

#13 Dalrint

Dalrint
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 June 2009 - 06:53 PM

But if you do not think that the tracking cookie is what caused the redirection, doesn't that mean that whatever did cause it is still on my computer?

On second thought, never mind. It's still doing it!

It wasn't when I tested earlier but now it is again. and I haven't even been using the computer all afternoon!

Edited by Dalrint, 24 June 2009 - 07:06 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,671 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:39 PM

Posted 25 June 2009 - 02:45 AM

Since the redirection occurs only in Firefox to make sure we have the option to uninstall Firefox, remove all its folders and reinstall it. It will not take much time.

If you wanted to try it (I would):
  • If you want you may backup your Firefox bookmarks, otherwise skip this part.
    • Run Firefox. Under "Bookmarks" menu click "Organize Bookmarks..."
    • Expand "Import and Backups" menu and click "Export HTML..."
    • Save Bookmarks.html to the folder of your choice.
    • To put back the bookmarks later on follow the procedure and instead of Export HTML... select "Import HTML..." navigate to Bookmarks.html to select and import it.
  • You may uninstall Firefox, remove all its components (the profile or profiles, add-ons and cookies, etc.) and then reinstall it again. To do that:
    • Please Download Firefox from its official site and save it to your desktop.
    • Close Firefox.
    • Click "start" --> "Control Panel" --> Doubleclick the "Add or Remove Programs" icon.
    • Click on the following entry and select "remove": Mozilla Firefox
    • Check the option "Remove my Firefox personal data and customizations" and click "Uninstall".
  • Use the windows search advanced options:
    • Go to start -> Search -> click All files and folders.
    • Click More advanced options.
    • Put a check mark in the box nest to search system folders, search hidden files and folders and search sub-folders.
    • Make sure Case Sensitive box in not checked.
    • Type firefox in the upper box and click on search.
    • Remove all the Firefox files and folders including these in bold:

      C:\Documents and Settings\hp\Application Data\Mozilla <-------- This folder
      C:\Program Files\Mozilla Firefox <-------- This folder
      C:\WINDOWS\Prefetch\FIREFOX.EXE* files <--- Delete All Firefox Prefetch files
  • Now install the downloaded Firefox again. And see if you get redirected.

Edited by farbar, 25 June 2009 - 02:48 AM.


#15 Dalrint

Dalrint
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 25 June 2009 - 11:19 AM

Uninstalling and reinstalling firefox seems to have fixed it. Again.

...

can you leave this topic open for a few days incase it comes back again, please?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users