Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mostly cleaned, but still have browser redirects


  • This topic is locked This topic is locked
18 replies to this topic

#1 cstone

cstone

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 23 June 2009 - 10:30 PM

I have a friend's family PC that I cleaned last week using AdAware, Spybot, and AVG. Gave it back to them...within 2 days they had "System Security" virus and various other things. I cleaned again and also used Malwarebytes Anit-Malware per instructions on Bleeping Computer. All seems clean, except still getting browser redirects....plus a few registry entries seem locked and Anti-Malware doesn't remove them (tho it says it does) and RegEdit say's they're not accessible.

Thanks very much in advance for your help.

Log is here:

DDS (Ver_09-05-14.01) - NTFSx86
Run by susan gillespie at 23:17:18.50 on Tue 06/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.492 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\susan gillespie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uWindow Title = Microsoft Internet Explorer powered by Verizon Broadband
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=MbiL.6VPZ3DEBXGICocLqg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://dist.belnk.com/4/message/613/py/dashbar.html?q=cD0yMTQmZD0xODk4MCZlbD0xJnc9UWZnTUxncjFCSkVBQUEtWERQRQ%3D%3D
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {2D51D869-C36B-42BD-AE68-0A81BC771FA5} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [QuickTime Task] "c:\program files\quicktime\bak\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunServices: [freestyle] lockx.exe
mRunServices: [strtas] lo71.exe
mRunServices: [cdromsys.exe] CdROM Drivers
mRunServices: [AOL Plaxo Support] PlaxoSoftware.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
StartupFolder: c:\docume~1\susang~1\startm~1\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-19 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-18 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-18 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-18 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2005-10-16 2368]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-10-23 1119888]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-23 24652]

=============== Created Last 30 ================

2009-06-23 23:06 <DIR> --d----- c:\program files\Trend Micro
2009-06-23 22:23 <DIR> --d----- c:\docume~1\susang~1\applic~1\Systenance
2009-06-23 19:06 <DIR> --d----- c:\docume~1\susang~1\applic~1\Malwarebytes
2009-06-23 18:39 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 18:39 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 18:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 18:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 18:26 <DIR> --d----- c:\program files\Index.dat Analyzer
2009-06-21 15:29 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-21 15:29 1,409 a------- c:\windows\QTFont.for
2009-06-21 15:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\90668426
2009-06-21 15:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\10658434
2009-06-21 15:24 2 a------- C:\-589438286
2009-06-21 15:24 6 a------- c:\windows\system32\iphy.dll
2009-06-21 15:24 217 a------- c:\windows\system32\winset.ini
2009-06-20 08:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-06-20 08:24 375 a---h--- C:\IPH.PH
2009-06-19 17:35 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-19 08:19 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-19 08:17 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-19 08:16 <DIR> --d----- c:\program files\Lavasoft
2009-06-18 20:15 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-18 20:13 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-18 20:13 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-18 20:13 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-18 20:13 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-18 20:13 <DIR> --d----- c:\program files\AVG
2009-06-18 20:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 14:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2007-10-23 21:05 60,968 a------- c:\documents and settings\susan gillespie\GoToAssistDownloadHelper.exe
2005-04-10 22:19 156,160 a------- c:\program files\Welcome to Jupiter.ppt
2008-12-27 11:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122720081228\index.dat

============= FINISH: 23:19:16.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:02 PM

Posted 27 June 2009 - 02:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 cstone

cstone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 28 June 2009 - 04:53 PM

Thank you for your help. DDS.txt is below and Attach.txt is attached.

I had several issues, including "System Security" virus the mouse/keyboard would occaisionally freeze requiring reboot. I have cleaned with AdAware, Spybot, AVG, and Malwarebytes Anti-Malware.

I am still having problems with browser redirects. Also Anti-Malware says it removes 4 Registry keys, but does not. Manual attempts to edit/remove these 4 keys results in message saying "Cannot open...Error while opening key" in Regedit.

HKEY_CLASSES_ROOT\toolbar.tb (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Thanks again for your help
Charlie






DDS (Ver_09-05-14.01) - NTFSx86
Run by susan gillespie at 17:26:31.54 on Sun 06/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.341 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\susan gillespie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uWindow Title = Microsoft Internet Explorer powered by Verizon Broadband
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=MbiL.6VPZ3DEBXGICocLqg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://dist.belnk.com/4/message/613/py/dashbar.html?q=cD0yMTQmZD0xODk4MCZlbD0xJnc9UWZnTUxncjFCSkVBQUEtWERQRQ%3D%3D
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {2D51D869-C36B-42BD-AE68-0A81BC771FA5} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [QuickTime Task] "c:\program files\quicktime\bak\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunServices: [freestyle] lockx.exe
mRunServices: [strtas] lo71.exe
mRunServices: [cdromsys.exe] CdROM Drivers
mRunServices: [AOL Plaxo Support] PlaxoSoftware.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
StartupFolder: c:\docume~1\susang~1\startm~1\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-19 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-18 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-18 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-18 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2005-10-16 2368]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-10-23 1119888]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-23 24652]

=============== Created Last 30 ================

2009-06-23 23:06 <DIR> --d----- c:\program files\Trend Micro
2009-06-23 22:23 <DIR> --d----- c:\docume~1\susang~1\applic~1\Systenance
2009-06-23 19:06 <DIR> --d----- c:\docume~1\susang~1\applic~1\Malwarebytes
2009-06-23 18:39 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 18:39 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 18:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 18:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 18:26 <DIR> --d----- c:\program files\Index.dat Analyzer
2009-06-21 15:29 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-21 15:29 1,409 a------- c:\windows\QTFont.for
2009-06-21 15:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\90668426
2009-06-21 15:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\10658434
2009-06-21 15:24 2 a------- C:\-589438286
2009-06-21 15:24 6 a------- c:\windows\system32\iphy.dll
2009-06-21 15:24 217 a------- c:\windows\system32\winset.ini
2009-06-20 08:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-06-20 08:24 375 a---h--- C:\IPH.PH
2009-06-19 17:35 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-19 08:19 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-19 08:17 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-19 08:16 <DIR> --d----- c:\program files\Lavasoft
2009-06-18 20:15 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-18 20:13 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-18 20:13 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-18 20:13 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-18 20:13 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-18 20:13 <DIR> --d----- c:\program files\AVG
2009-06-18 20:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 14:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2007-10-23 21:05 60,968 a------- c:\documents and settings\susan gillespie\GoToAssistDownloadHelper.exe
2005-04-10 22:19 156,160 a------- c:\program files\Welcome to Jupiter.ppt
2008-12-27 11:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122720081228\index.dat

============= FINISH: 17:28:24.43 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 30 June 2009 - 04:19 AM

Hi cstone,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  • I see on your log that PartyPoker is installed on your computer:

    This program is known to be related to adware/spyware. More information here: http://www.bleepingcomputer.com/uninstall/...PartyPoker.html
    http://www.spywaredata.com/spyware/threat_...OKER/result.php
    http://research.sunbelt-software.com/threa...;threatid=44086
    To uninstall it:
    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Programs and Features" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    PartyPoker

    Also remove the folder in bold: C:\Program Files\PartyGaming

  • I see on your log that Pokerstar is installed on your computer:

    This program is known to be related to adware/spyware. More information here: http://www.bleepingcomputer.com/uninstall/...rStars.net.html
    Please uninstall the following via Add/Remove programs in Control Panel:

    PokerStars

    Also remove the folder in bold: C:\Program Files\PokerStars

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


#5 cstone

cstone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 30 June 2009 - 08:54 AM

Thank you very much for your ongoing help. I have completed the steps you outlined and ComboFix log is below:

===========

ComboFix 09-06-29.04 - susan gillespie 06/30/2009 9:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -4:00]
Running from: c:\documents and settings\susan gillespie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\drivers\SKYNETtjndomlx.sys
c:\windows\system32\iphy.dll
c:\windows\system32\mlfcache.dat
c:\windows\system32\SKYNETdtfsyuya.dat
c:\windows\system32\SKYNETjxqcdely.dll
c:\windows\system32\SKYNETjyrnarvv.dat
c:\windows\system32\SKYNETxkamnbak.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETtvujdvct
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 13:12 . 2009-06-30 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-24 12:22 . 2009-06-24 12:22 -------- d-----w- C:\rsit
2009-06-24 03:06 . 2009-06-24 03:06 -------- d-----w- c:\program files\Trend Micro
2009-06-24 02:23 . 2009-06-24 02:23 -------- d-----w- c:\documents and settings\susan gillespie\Application Data\Systenance
2009-06-23 23:06 . 2009-06-23 23:06 -------- d-----w- c:\documents and settings\susan gillespie\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 22:28 . 2009-06-23 22:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Systenance
2009-06-23 22:26 . 2009-06-23 22:26 -------- d-----w- c:\program files\Index.dat Analyzer
2009-06-23 22:23 . 2009-06-23 22:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-21 19:25 . 2009-06-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\90668426
2009-06-21 19:25 . 2009-06-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\10658434
2009-06-20 12:25 . 2009-06-20 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-06-19 21:35 . 2009-06-19 12:19 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-19 12:19 . 2009-06-19 12:18 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-19 12:19 . 2009-06-29 12:19 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-19 12:19 . 2009-06-29 12:19 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-19 12:19 . 2009-06-29 12:19 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-19 12:19 . 2009-06-29 12:19 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-19 12:19 . 2009-06-19 12:19 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-19 12:19 . 2009-06-29 12:19 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-19 12:19 . 2009-06-29 12:19 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-19 12:18 . 2009-06-29 12:19 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-19 12:18 . 2009-06-29 12:19 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-19 12:18 . 2009-06-29 12:19 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-19 12:18 . 2009-06-19 12:18 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-19 12:18 . 2009-06-29 12:19 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-19 12:18 . 2009-06-29 12:19 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-19 12:18 . 2009-06-29 12:19 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-19 12:18 . 2009-06-29 12:19 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-19 12:18 . 2009-06-29 12:19 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-19 12:18 . 2009-06-29 12:19 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-19 12:18 . 2009-06-29 12:19 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-19 12:18 . 2009-06-29 12:19 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-19 12:17 . 2009-06-19 12:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-19 12:17 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-19 12:16 . 2009-06-19 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-19 12:16 . 2009-06-19 12:16 -------- d-----w- c:\program files\Lavasoft
2009-06-19 00:13 . 2009-06-30 13:05 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-19 00:13 . 2009-06-19 00:13 -------- d-----w- c:\program files\AVG
2009-06-19 00:12 . 2009-06-19 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 13:13 . 2004-09-09 15:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-30 13:09 . 2004-09-09 15:04 -------- d-----w- c:\program files\Viewpoint
2009-06-30 13:09 . 2004-09-09 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-30 04:00 . 2005-10-10 18:58 -------- d-----w- c:\program files\Greetings Workshop
2009-06-23 21:04 . 2007-10-18 21:24 98624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-20 12:28 . 2007-05-29 18:23 -------- d-----w- c:\program files\AIM6
2009-06-20 12:24 . 2005-12-14 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-19 16:56 . 2006-03-28 00:14 -------- d-----w- c:\program files\QuickTime
2009-06-19 02:52 . 2006-08-21 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 02:00 . 2006-03-28 00:12 -------- d-----w- c:\program files\iTunes
2009-05-19 05:36 . 2009-06-20 12:24 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-20 12:24 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-20 12:24 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-20 12:24 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-20 12:24 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-20 12:24 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-20 12:24 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-20 12:24 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\documents and settings\tim gillespie\Application Data\Webroot
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 17:16 . 2008-02-05 07:47 13 ----a-w- c:\windows\A545-9E3C-04D5-9B1E.dat
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:56 . 2004-12-07 21:37 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2003-07-15 21:01 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 08:17 . 2004-09-09 15:04 70916 ----a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\ctem.sys
2005-04-11 02:19 . 2005-04-11 02:19 156160 ----a-w- c:\program files\Welcome to Jupiter.ppt
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-13 01:21 . 2006-08-01 19:35 67112 c:\program files\AIM\bak\aim.exe

2004-09-09 15:01 . 2004-05-26 03:35 335872 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2006-04-20 17:10 . 2006-04-20 17:10 50792 c:\program files\Common Files\AOL\1124562310\ee\bak\AOLSoftware.exe

2006-09-26 00:52 . 2006-09-26 00:52 50736 c:\program files\Common Files\AOL\Launch\bak\AOLLaunch.exe

2006-04-08 20:21 . 2006-04-08 20:21 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-08-19 06:01 . 2003-08-19 06:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2005-01-28 03:04 . 2005-12-12 19:37 71328 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2004-09-09 15:01 . 2004-04-11 16:43 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2004-09-09 15:02 . 2004-04-12 01:15 290816 c:\program files\Dell\Media Experience\bak\PCMService.exe

2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-07-11 16:35 . 2007-07-11 16:35 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

2006-01-27 04:37 . 2006-01-27 04:37 421888 c:\program files\Google\Picasa3\bak\PicasaMediaDetector.exe

2004-09-09 15:00 . 2004-03-23 17:16 135168 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

2004-09-09 15:01 . 2003-09-04 01:12 221184 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

2006-02-23 20:45 . 2006-02-23 20:45 278528 c:\program files\iTunes\bak\iTunesHelper.exe

2006-05-15 19:38 . 2005-04-13 07:48 36975 c:\program files\Java\jre1.5.0_03\bin\bak\jusched.exe

2004-09-09 15:16 . 2005-03-15 12:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

2004-09-09 15:16 . 2005-03-15 12:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

2005-12-14 22:21 . 2005-11-15 20:55 179784 c:\program files\Plaxo\2.5.10.17\bak\PlaxoHelper.exe

2006-03-28 00:15 . 2006-03-28 00:15 155648 c:\program files\QuickTime\bak\qttask.exe

2005-12-14 02:24 . 2004-09-24 20:39 20480 c:\program files\SecretSmileys\bak\ss.exe

2007-10-23 21:17 . 2007-10-25 02:27 1169 c:\program files\The Weather Channel FW\Desktop Weather\bak\app.html
2006-04-08 20:24 . 2007-09-11 00:52 1169 c:\program files\The Weather Channel FW\Desktop Weather\app.html

2006-04-08 20:23 . 2006-04-19 13:30 728176 c:\program files\The Weather Channel FW\Desktop Weather\bak\DesktopWeather.exe

2007-10-23 21:17 . 2007-10-25 02:27 165 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_app_scripts.js
2006-04-08 20:24 . 2007-09-11 00:52 165 c:\program files\The Weather Channel FW\Desktop Weather\dw_app_scripts.js

2007-10-23 21:17 . 2007-10-25 02:27 2058 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_fscommand.js
2006-04-08 20:24 . 2007-09-11 00:52 2058 c:\program files\The Weather Channel FW\Desktop Weather\dw_fscommand.js

2007-10-23 21:17 . 2007-10-25 02:27 1055 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_home_local_scripts.js
2006-04-08 20:24 . 2007-09-11 00:52 1055 c:\program files\The Weather Channel FW\Desktop Weather\dw_home_local_scripts.js

2007-10-23 21:17 . 2007-10-25 02:27 140 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_up.js
2006-04-08 20:24 . 2007-08-31 01:34 140 c:\program files\The Weather Channel FW\Desktop Weather\dw_up.js

2007-10-23 21:17 . 2007-10-25 02:27 10514 c:\program files\The Weather Channel FW\Desktop Weather\bak\ext.js
2006-04-08 20:24 . 2007-09-11 00:52 10514 c:\program files\The Weather Channel FW\Desktop Weather\ext.js

2007-10-23 21:17 . 2007-10-25 02:27 873 c:\program files\The Weather Channel FW\Desktop Weather\bak\index_local.html
2006-04-08 20:24 . 2007-09-11 00:52 873 c:\program files\The Weather Channel FW\Desktop Weather\index_local.html

2007-10-23 21:17 . 2007-10-25 02:27 1093 c:\program files\The Weather Channel FW\Desktop Weather\bak\no_connection_frame.html
2006-04-08 20:24 . 2007-09-11 00:52 1093 c:\program files\The Weather Channel FW\Desktop Weather\no_connection_frame.html

2007-10-23 21:17 . 2007-10-25 02:27 526 c:\program files\The Weather Channel FW\Desktop Weather\bak\query_prams.js
2006-04-08 20:24 . 2007-09-11 00:52 526 c:\program files\The Weather Channel FW\Desktop Weather\query_prams.js

2005-01-27 20:32 . 2004-08-23 22:34 385024 c:\program files\Verizon Online\Support Center\SmartBridge\bak\MotiveSB.exe

2002-08-29 10:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 10:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2004-09-09 15:03 . 2004-03-15 06:04 122933 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" [2006-03-28 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-27 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-19 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [N/A]

c:\documents and settings\susan gillespie\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk.disabled [2005-10-10 692]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-10-24 01:05 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-19 00:13 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Support Center.lnk
backup=c:\windows\pss\Broadband Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Card Companion Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Media Card Companion Monitor.lnk
backup=c:\windows\pss\Media Card Companion Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Windows Logon Managements"=2 (0x2)
"WANMiniportService"=2 (0x2)
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"freestyle"=lockx.exe
"strtas"=lo71.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [6/19/2009 8:19 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/18/2009 8:13 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/18/2009 8:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/18/2009 8:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [10/16/2005 7:48 PM 2368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/23/2008 8:56 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:19]

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=MbiL.6VPZ3DEBXGICocLqg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://dist.belnk.com/4/message/613/py/dashbar.html?q=cD0yMTQmZD0xODk4MCZlbD0xJnc9UWZnTUxncjFCSkVBQUEtWERQRQ%3D%3D
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\susan gillespie\Application Data\Mozilla\Firefox\Profiles\ltnrgeld.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 09:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\AOL\Loader\aolload.exe
.
**************************************************************************
.
Completion time: 2009-06-30 9:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 13:43

Pre-Run: 117,917,995,008 bytes free
Post-Run: 117,995,720,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

305 --- E O F --- 2009-06-20 22:40

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 30 June 2009 - 10:15 AM

Well done. :thumbup2:

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (dir /a /s "c:\lockx.exe" & dir /a /s "c:\lo71.exe") >log.txt&log.txt&del log.txt

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

#7 cstone

cstone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 30 June 2009 - 04:53 PM

Done. Resulting text file is:

Volume in drive C has no label.
Volume Serial Number is DCDD-E2B2
Volume in drive C has no label.
Volume Serial Number is DCDD-E2B2

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 30 June 2009 - 05:26 PM

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    DDS::
    uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=MbiL.6VPZ3DEBXGICocLqg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
    Trusted Zone: doginhispen.com
    Trusted Zone: whataboutadog.com
    Trusted Zone: whataboutarabit.com
    BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {2D51D869-C36B-42BD-AE68-0A81BC771FA5} - No File
    TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
    TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRunServices: [freestyle] lockx.exe
    mRunServices: [strtas] lo71.exe
    uURLSearchHooks: H - No File
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
    RegLockDel::
    [HKEY_CLASSES_ROOT\toolbar.tb]
    [HKEY_CLASSES_ROOT\toolbar.tb.1]
    [HKEY_CLASSES_ROOT\xml.xml]
    [HKEY_CLASSES_ROOT\xml.xml.1]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Tell me also if you still get redirected. If yes does it occurs both in IE and Firefox?
Please include in your next reply:
  • The Combofix log.
  • The log of MBAM.
  • Answer to the question.


#9 cstone

cstone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 30 June 2009 - 10:27 PM

Thanks for your continuing help. Steps completed.

1. ComboFix log below
2. MBAM log below
3. Am I still getting redirects? Answer: No...I can't make it happen, so looks like that's fixed.

One problem...MBAM says it removes the formerly locked 4 registry entries listed as problems below...but in fact, it does not. On subsequent runs, it still finds them. If I try to manually delete using RegEdit, I get the following error:
Cannot delete XML.XML: Error while deleting key.

Thanks
Charlie


==ComboFix Log===============================
ComboFix 09-06-29.07 - susan gillespie 06/30/2009 20:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.497 [GMT -4:00]
Running from: c:\documents and settings\susan gillespie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\susan gillespie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-30 13:12 . 2009-06-30 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-24 12:22 . 2009-06-24 12:22 -------- d-----w- C:\rsit
2009-06-24 03:06 . 2009-06-24 03:06 -------- d-----w- c:\program files\Trend Micro
2009-06-24 02:23 . 2009-06-24 02:23 -------- d-----w- c:\documents and settings\susan gillespie\Application Data\Systenance
2009-06-23 23:06 . 2009-06-23 23:06 -------- d-----w- c:\documents and settings\susan gillespie\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 22:28 . 2009-06-23 22:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Systenance
2009-06-23 22:26 . 2009-06-23 22:26 -------- d-----w- c:\program files\Index.dat Analyzer
2009-06-23 22:23 . 2009-06-23 22:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-21 19:25 . 2009-06-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\90668426
2009-06-21 19:25 . 2009-06-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\10658434
2009-06-20 12:25 . 2009-06-20 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-06-19 21:35 . 2009-06-19 12:19 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-19 12:19 . 2009-06-19 12:18 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-19 12:19 . 2009-06-29 12:19 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-19 12:19 . 2009-06-29 12:19 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-19 12:19 . 2009-06-29 12:19 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-19 12:19 . 2009-06-29 12:19 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-19 12:19 . 2009-06-19 12:19 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-19 12:19 . 2009-06-29 12:19 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-19 12:19 . 2009-06-29 12:19 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-19 12:18 . 2009-06-29 12:19 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-19 12:18 . 2009-06-29 12:19 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-19 12:18 . 2009-06-29 12:19 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-19 12:18 . 2009-06-19 12:18 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-19 12:18 . 2009-06-29 12:19 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-19 12:18 . 2009-06-29 12:19 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-19 12:18 . 2009-06-29 12:19 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-19 12:18 . 2009-06-29 12:19 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-19 12:18 . 2009-06-29 12:19 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-19 12:18 . 2009-06-29 12:19 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-19 12:18 . 2009-06-29 12:19 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-19 12:18 . 2009-06-29 12:19 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-19 12:17 . 2009-06-19 12:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-19 12:17 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-19 12:16 . 2009-06-19 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-19 12:16 . 2009-06-19 12:16 -------- d-----w- c:\program files\Lavasoft
2009-06-19 00:13 . 2009-06-30 13:05 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-19 00:13 . 2009-06-19 00:13 -------- d-----w- c:\program files\AVG
2009-06-19 00:12 . 2009-06-19 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 13:13 . 2004-09-09 15:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-30 13:09 . 2004-09-09 15:04 -------- d-----w- c:\program files\Viewpoint
2009-06-30 13:09 . 2004-09-09 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-30 04:00 . 2005-10-10 18:58 -------- d-----w- c:\program files\Greetings Workshop
2009-06-23 21:04 . 2007-10-18 21:24 98624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-20 12:28 . 2007-05-29 18:23 -------- d-----w- c:\program files\AIM6
2009-06-20 12:24 . 2005-12-14 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-19 16:56 . 2006-03-28 00:14 -------- d-----w- c:\program files\QuickTime
2009-06-19 02:52 . 2006-08-21 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 02:00 . 2006-03-28 00:12 -------- d-----w- c:\program files\iTunes
2009-05-19 05:36 . 2009-06-20 12:24 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-20 12:24 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-20 12:24 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-20 12:24 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-20 12:24 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-20 12:24 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-20 12:24 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-20 12:24 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\documents and settings\tim gillespie\Application Data\Webroot
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 17:16 . 2008-02-05 07:47 13 ----a-w- c:\windows\A545-9E3C-04D5-9B1E.dat
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:56 . 2004-12-07 21:37 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2003-07-15 21:01 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 08:17 . 2004-09-09 15:04 70916 ----a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\ctem.sys
2005-04-11 02:19 . 2005-04-11 02:19 156160 ----a-w- c:\program files\Welcome to Jupiter.ppt
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_13.39.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 21:48 . 2009-06-30 21:48 16384 c:\windows\Temp\Perflib_Perfdata_78c.dat
+ 2009-06-30 21:48 . 2009-06-30 21:48 16384 c:\windows\Temp\Perflib_Perfdata_754.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-13 01:21 . 2006-08-01 19:35 67112 c:\program files\AIM\bak\aim.exe

2004-09-09 15:01 . 2004-05-26 03:35 335872 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2006-04-20 17:10 . 2006-04-20 17:10 50792 c:\program files\Common Files\AOL\1124562310\ee\bak\AOLSoftware.exe

2006-09-26 00:52 . 2006-09-26 00:52 50736 c:\program files\Common Files\AOL\Launch\bak\AOLLaunch.exe

2006-04-08 20:21 . 2006-04-08 20:21 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-08-19 06:01 . 2003-08-19 06:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2005-01-28 03:04 . 2005-12-12 19:37 71328 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2004-09-09 15:01 . 2004-04-11 16:43 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2004-09-09 15:02 . 2004-04-12 01:15 290816 c:\program files\Dell\Media Experience\bak\PCMService.exe

2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-07-11 16:35 . 2007-07-11 16:35 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

2006-01-27 04:37 . 2006-01-27 04:37 421888 c:\program files\Google\Picasa3\bak\PicasaMediaDetector.exe

2004-09-09 15:00 . 2004-03-23 17:16 135168 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

2004-09-09 15:01 . 2003-09-04 01:12 221184 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

2006-02-23 20:45 . 2006-02-23 20:45 278528 c:\program files\iTunes\bak\iTunesHelper.exe

2006-05-15 19:38 . 2005-04-13 07:48 36975 c:\program files\Java\jre1.5.0_03\bin\bak\jusched.exe

2004-09-09 15:16 . 2005-03-15 12:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

2004-09-09 15:16 . 2005-03-15 12:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

2005-12-14 22:21 . 2005-11-15 20:55 179784 c:\program files\Plaxo\2.5.10.17\bak\PlaxoHelper.exe

2006-03-28 00:15 . 2006-03-28 00:15 155648 c:\program files\QuickTime\bak\qttask.exe

2005-12-14 02:24 . 2004-09-24 20:39 20480 c:\program files\SecretSmileys\bak\ss.exe

2007-10-23 21:17 . 2007-10-25 02:27 1169 c:\program files\The Weather Channel FW\Desktop Weather\bak\app.html
2006-04-08 20:24 . 2007-09-11 00:52 1169 c:\program files\The Weather Channel FW\Desktop Weather\app.html

2006-04-08 20:23 . 2006-04-19 13:30 728176 c:\program files\The Weather Channel FW\Desktop Weather\bak\DesktopWeather.exe

2007-10-23 21:17 . 2007-10-25 02:27 165 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_app_scripts.js
2006-04-08 20:24 . 2007-09-11 00:52 165 c:\program files\The Weather Channel FW\Desktop Weather\dw_app_scripts.js

2007-10-23 21:17 . 2007-10-25 02:27 2058 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_fscommand.js
2006-04-08 20:24 . 2007-09-11 00:52 2058 c:\program files\The Weather Channel FW\Desktop Weather\dw_fscommand.js

2007-10-23 21:17 . 2007-10-25 02:27 1055 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_home_local_scripts.js
2006-04-08 20:24 . 2007-09-11 00:52 1055 c:\program files\The Weather Channel FW\Desktop Weather\dw_home_local_scripts.js

2007-10-23 21:17 . 2007-10-25 02:27 140 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_up.js
2006-04-08 20:24 . 2007-08-31 01:34 140 c:\program files\The Weather Channel FW\Desktop Weather\dw_up.js

2007-10-23 21:17 . 2007-10-25 02:27 10514 c:\program files\The Weather Channel FW\Desktop Weather\bak\ext.js
2006-04-08 20:24 . 2007-09-11 00:52 10514 c:\program files\The Weather Channel FW\Desktop Weather\ext.js

2007-10-23 21:17 . 2007-10-25 02:27 873 c:\program files\The Weather Channel FW\Desktop Weather\bak\index_local.html
2006-04-08 20:24 . 2007-09-11 00:52 873 c:\program files\The Weather Channel FW\Desktop Weather\index_local.html

2007-10-23 21:17 . 2007-10-25 02:27 1093 c:\program files\The Weather Channel FW\Desktop Weather\bak\no_connection_frame.html
2006-04-08 20:24 . 2007-09-11 00:52 1093 c:\program files\The Weather Channel FW\Desktop Weather\no_connection_frame.html

2007-10-23 21:17 . 2007-10-25 02:27 526 c:\program files\The Weather Channel FW\Desktop Weather\bak\query_prams.js
2006-04-08 20:24 . 2007-09-11 00:52 526 c:\program files\The Weather Channel FW\Desktop Weather\query_prams.js

2005-01-27 20:32 . 2004-08-23 22:34 385024 c:\program files\Verizon Online\Support Center\SmartBridge\bak\MotiveSB.exe

2002-08-29 10:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 10:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2004-09-09 15:03 . 2004-03-15 06:04 122933 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" [2006-03-28 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-27 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-19 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [N/A]

c:\documents and settings\susan gillespie\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk.disabled [2005-10-10 692]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-10-24 01:05 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-19 00:13 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Support Center.lnk
backup=c:\windows\pss\Broadband Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Card Companion Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Media Card Companion Monitor.lnk
backup=c:\windows\pss\Media Card Companion Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Windows Logon Managements"=2 (0x2)
"WANMiniportService"=2 (0x2)
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [6/19/2009 8:19 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/18/2009 8:13 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/18/2009 8:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/18/2009 8:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [10/16/2005 7:48 PM 2368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/23/2008 8:56 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:19]

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=MbiL.6VPZ3DEBXGICocLqg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://dist.belnk.com/4/message/613/py/dashbar.html?q=cD0yMTQmZD0xODk4MCZlbD0xJnc9UWZnTUxncjFCSkVBQUEtWERQRQ%3D%3D
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\susan gillespie\Application Data\Mozilla\Firefox\Profiles\ltnrgeld.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 20:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
Completion time: 2009-07-01 20:10
ComboFix-quarantined-files.txt 2009-07-01 00:10
ComboFix2.txt 2009-06-30 13:43

Pre-Run: 117,969,997,824 bytes free
Post-Run: 117,956,407,296 bytes free

263 --- E O F --- 2009-06-20 22:40






==MBAM Log==================================
Malwarebytes' Anti-Malware 1.38
Database version: 2357
Windows 5.1.2600 Service Pack 3

6/30/2009 11:18:51 PM
mbam-log-2009-06-30 (23-18-51).txt

Scan type: Quick Scan
Objects scanned: 127632
Time elapsed: 43 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\toolbar.tb (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 01 July 2009 - 05:14 AM

OK we try once more to remove those entries.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

RegNull::
[HKEY_CLASSES_ROOT\toolbar.tb*]
[HKEY_CLASSES_ROOT\toolbar.tb.1*]
[HKEY_CLASSES_ROOT\xml.xml*]
[HKEY_CLASSES_ROOT\xml.xml.1*]
RegLockDel::
[HKEY_CLASSES_ROOT\toolbar.tb]
[HKEY_CLASSES_ROOT\toolbar.tb.1]
[HKEY_CLASSES_ROOT\xml.xml]
[HKEY_CLASSES_ROOT\xml.xml.1]
Registry::
[-HKEY_CLASSES_ROOT\toolbar.tb]
[-HKEY_CLASSES_ROOT\toolbar.tb.1]
[-HKEY_CLASSES_ROOT\xml.xml]
[-HKEY_CLASSES_ROOT\xml.xml.1]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please run MBAM or check to see if the registry entries are gone.

#11 cstone

cstone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 01 July 2009 - 07:25 AM

Thanks for following up again. I re-ran CF using script...log is posted. I then checked using RegEdit and those registry folders are still present and cannot be deleted, but there are no key/string/settings under or inside those 4 folders other than the (default) REG_SZ, so I imagine they are now harmless.

CF log is below....many thanks for your help. Let me know if you believe this is now clean. I also still have no issues with browser redirects anymore.

Thanks
Charlie







ComboFix 09-06-29.07 - susan gillespie 07/01/2009 8:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -4:00]
Running from: c:\documents and settings\susan gillespie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\susan gillespie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-30 13:12 . 2009-06-30 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-24 12:22 . 2009-06-24 12:22 -------- d-----w- C:\rsit
2009-06-24 03:06 . 2009-06-24 03:06 -------- d-----w- c:\program files\Trend Micro
2009-06-24 02:23 . 2009-06-24 02:23 -------- d-----w- c:\documents and settings\susan gillespie\Application Data\Systenance
2009-06-23 23:06 . 2009-06-23 23:06 -------- d-----w- c:\documents and settings\susan gillespie\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 22:39 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 22:28 . 2009-06-23 22:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Systenance
2009-06-23 22:26 . 2009-06-23 22:26 -------- d-----w- c:\program files\Index.dat Analyzer
2009-06-23 22:23 . 2009-06-23 22:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-21 19:25 . 2009-06-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\90668426
2009-06-21 19:25 . 2009-06-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\10658434
2009-06-20 12:25 . 2009-06-20 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-06-19 21:35 . 2009-06-19 12:19 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-19 12:19 . 2009-06-19 12:18 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-19 12:19 . 2009-06-29 12:19 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-19 12:19 . 2009-06-29 12:19 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-19 12:19 . 2009-06-29 12:19 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-19 12:19 . 2009-06-29 12:19 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-19 12:19 . 2009-06-19 12:19 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-19 12:19 . 2009-06-29 12:19 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-19 12:19 . 2009-06-29 12:19 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-19 12:18 . 2009-06-29 12:19 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-19 12:18 . 2009-06-29 12:19 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-19 12:18 . 2009-06-29 12:19 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-19 12:18 . 2009-06-19 12:18 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-19 12:18 . 2009-06-29 12:19 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-19 12:18 . 2009-06-29 12:19 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-19 12:18 . 2009-06-29 12:19 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-19 12:18 . 2009-06-29 12:19 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-19 12:18 . 2009-06-29 12:19 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-19 12:18 . 2009-06-29 12:19 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-19 12:18 . 2009-06-29 12:19 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-19 12:18 . 2009-06-29 12:19 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-19 12:17 . 2009-06-19 12:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-19 12:17 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-19 12:16 . 2009-06-19 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-19 12:16 . 2009-06-19 12:16 -------- d-----w- c:\program files\Lavasoft
2009-06-19 00:13 . 2009-06-30 13:05 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-19 00:13 . 2009-06-19 00:13 -------- d-----w- c:\program files\AVG
2009-06-19 00:12 . 2009-06-19 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 13:13 . 2004-09-09 15:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-30 13:09 . 2004-09-09 15:04 -------- d-----w- c:\program files\Viewpoint
2009-06-30 13:09 . 2004-09-09 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-30 04:00 . 2005-10-10 18:58 -------- d-----w- c:\program files\Greetings Workshop
2009-06-23 21:04 . 2007-10-18 21:24 98624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-20 12:28 . 2007-05-29 18:23 -------- d-----w- c:\program files\AIM6
2009-06-20 12:24 . 2005-12-14 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-19 16:56 . 2006-03-28 00:14 -------- d-----w- c:\program files\QuickTime
2009-06-19 02:52 . 2006-08-21 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 02:00 . 2006-03-28 00:12 -------- d-----w- c:\program files\iTunes
2009-05-19 05:36 . 2009-06-20 12:24 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-20 12:24 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-20 12:24 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-20 12:24 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-20 12:24 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-20 12:24 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-20 12:24 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-20 12:24 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\documents and settings\tim gillespie\Application Data\Webroot
2009-05-09 12:04 . 2009-05-09 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 17:16 . 2008-02-05 07:47 13 ----a-w- c:\windows\A545-9E3C-04D5-9B1E.dat
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:56 . 2004-12-07 21:37 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2003-07-15 21:01 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 08:17 . 2004-09-09 15:04 70916 ----a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\ctem.sys
2005-04-11 02:19 . 2005-04-11 02:19 156160 ----a-w- c:\program files\Welcome to Jupiter.ppt
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_13.39.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-01 12:05 . 2009-07-01 12:05 16384 c:\windows\Temp\Perflib_Perfdata_774.dat
+ 2009-07-01 12:05 . 2009-07-01 12:05 16384 c:\windows\Temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-13 01:21 . 2006-08-01 19:35 67112 c:\program files\AIM\bak\aim.exe

2004-09-09 15:01 . 2004-05-26 03:35 335872 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2006-04-20 17:10 . 2006-04-20 17:10 50792 c:\program files\Common Files\AOL\1124562310\ee\bak\AOLSoftware.exe

2006-09-26 00:52 . 2006-09-26 00:52 50736 c:\program files\Common Files\AOL\Launch\bak\AOLLaunch.exe

2006-04-08 20:21 . 2006-04-08 20:21 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-08-19 06:01 . 2003-08-19 06:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2005-01-28 03:04 . 2005-12-12 19:37 71328 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2004-09-09 15:01 . 2004-04-11 16:43 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2004-09-09 15:02 . 2004-04-12 01:15 290816 c:\program files\Dell\Media Experience\bak\PCMService.exe

2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-07-11 16:35 . 2007-07-11 16:35 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

2006-01-27 04:37 . 2006-01-27 04:37 421888 c:\program files\Google\Picasa3\bak\PicasaMediaDetector.exe

2004-09-09 15:00 . 2004-03-23 17:16 135168 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

2004-09-09 15:01 . 2003-09-04 01:12 221184 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

2006-02-23 20:45 . 2006-02-23 20:45 278528 c:\program files\iTunes\bak\iTunesHelper.exe

2006-05-15 19:38 . 2005-04-13 07:48 36975 c:\program files\Java\jre1.5.0_03\bin\bak\jusched.exe

2004-09-09 15:16 . 2005-03-15 12:58 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

2004-09-09 15:16 . 2005-03-15 12:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

2005-12-14 22:21 . 2005-11-15 20:55 179784 c:\program files\Plaxo\2.5.10.17\bak\PlaxoHelper.exe

2006-03-28 00:15 . 2006-03-28 00:15 155648 c:\program files\QuickTime\bak\qttask.exe

2005-12-14 02:24 . 2004-09-24 20:39 20480 c:\program files\SecretSmileys\bak\ss.exe

2007-10-23 21:17 . 2007-10-25 02:27 1169 c:\program files\The Weather Channel FW\Desktop Weather\bak\app.html
2006-04-08 20:24 . 2007-09-11 00:52 1169 c:\program files\The Weather Channel FW\Desktop Weather\app.html

2006-04-08 20:23 . 2006-04-19 13:30 728176 c:\program files\The Weather Channel FW\Desktop Weather\bak\DesktopWeather.exe

2007-10-23 21:17 . 2007-10-25 02:27 165 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_app_scripts.js
2006-04-08 20:24 . 2007-09-11 00:52 165 c:\program files\The Weather Channel FW\Desktop Weather\dw_app_scripts.js

2007-10-23 21:17 . 2007-10-25 02:27 2058 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_fscommand.js
2006-04-08 20:24 . 2007-09-11 00:52 2058 c:\program files\The Weather Channel FW\Desktop Weather\dw_fscommand.js

2007-10-23 21:17 . 2007-10-25 02:27 1055 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_home_local_scripts.js
2006-04-08 20:24 . 2007-09-11 00:52 1055 c:\program files\The Weather Channel FW\Desktop Weather\dw_home_local_scripts.js

2007-10-23 21:17 . 2007-10-25 02:27 140 c:\program files\The Weather Channel FW\Desktop Weather\bak\dw_up.js
2006-04-08 20:24 . 2007-08-31 01:34 140 c:\program files\The Weather Channel FW\Desktop Weather\dw_up.js

2007-10-23 21:17 . 2007-10-25 02:27 10514 c:\program files\The Weather Channel FW\Desktop Weather\bak\ext.js
2006-04-08 20:24 . 2007-09-11 00:52 10514 c:\program files\The Weather Channel FW\Desktop Weather\ext.js

2007-10-23 21:17 . 2007-10-25 02:27 873 c:\program files\The Weather Channel FW\Desktop Weather\bak\index_local.html
2006-04-08 20:24 . 2007-09-11 00:52 873 c:\program files\The Weather Channel FW\Desktop Weather\index_local.html

2007-10-23 21:17 . 2007-10-25 02:27 1093 c:\program files\The Weather Channel FW\Desktop Weather\bak\no_connection_frame.html
2006-04-08 20:24 . 2007-09-11 00:52 1093 c:\program files\The Weather Channel FW\Desktop Weather\no_connection_frame.html

2007-10-23 21:17 . 2007-10-25 02:27 526 c:\program files\The Weather Channel FW\Desktop Weather\bak\query_prams.js
2006-04-08 20:24 . 2007-09-11 00:52 526 c:\program files\The Weather Channel FW\Desktop Weather\query_prams.js

2005-01-27 20:32 . 2004-08-23 22:34 385024 c:\program files\Verizon Online\Support Center\SmartBridge\bak\MotiveSB.exe

2002-08-29 10:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 10:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2004-09-09 15:03 . 2004-03-15 06:04 122933 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" [2006-03-28 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-27 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-19 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [N/A]

c:\documents and settings\susan gillespie\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk.disabled [2005-10-10 692]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-10-24 01:05 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-19 00:13 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Support Center.lnk
backup=c:\windows\pss\Broadband Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Card Companion Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Media Card Companion Monitor.lnk
backup=c:\windows\pss\Media Card Companion Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Windows Logon Managements"=2 (0x2)
"WANMiniportService"=2 (0x2)
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [6/19/2009 8:19 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/18/2009 8:13 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/18/2009 8:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/18/2009 8:13 PM 298776]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [10/16/2005 7:48 PM 2368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/23/2008 8:56 PM 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:19]

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=MbiL.6VPZ3DEBXGICocLqg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://dist.belnk.com/4/message/613/py/dashbar.html?q=cD0yMTQmZD0xODk4MCZlbD0xJnc9UWZnTUxncjFCSkVBQUEtWERQRQ%3D%3D
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\susan gillespie\Application Data\Mozilla\Firefox\Profiles\ltnrgeld.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 08:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
Completion time: 2009-07-01 8:14
ComboFix-quarantined-files.txt 2009-07-01 12:14
ComboFix2.txt 2009-07-01 00:10
ComboFix3.txt 2009-06-30 13:43

Pre-Run: 117,965,676,544 bytes free
Post-Run: 117,953,753,088 bytes free

263 --- E O F --- 2009-06-20 22:40

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 01 July 2009 - 08:55 AM

Thanks for the feedback and you are welcome.

Those entries should basically do no harm in terms of malware activity and the logs look good. What I am concerned about is this:

Malwarebytes' Anti-Malware 1.38
....
....
Scan type: Quick Scan
Objects scanned: 127632
Time elapsed: 43 minute(s), 46 second(s)


A Quick Scan of MBAM should not take more than 5 minutes if the computer is fast and not having too many applications.

But before giving you some advise on that please do this:
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Symantec NetDriver Warning"=-
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. That would be:

      J2SE Runtime Environment 5.0 Update 3
      Java 2 Runtime Environment, SE v1.4.2_03
      Java 2 Runtime Environment, SE v1.4.2_06
      Java™ 6 Update 10

    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
  • I see still a service related to Viewpoint on the log. If you have decided not to uninstall Viewpoint it is okey, otherwise it is a leftover and we can delete it. Let me know about it.

  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply for a final review.


#13 cstone

cstone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 01 July 2009 - 08:39 PM

Thanks for continuing to assist me. All done, except I was not able to delete ViewPointService.exe and folder in C:
program files\...I will try rebooting into Safe mode and deleting it after posting this. It is not listed on Add/Remove Programs

Ran CCleaner...nice..will have to d/l and use on my other computers.

Below is HJT log...I see and have some concern about the BHO objects that say "no file", but maybe they're harmless if the referenced file is gone.

Thanks
Charlie

=====================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:44 PM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dist.belnk.com/4/message/613/py/das...UEtWERQRQ%3D%3D
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7907 bytes

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 02 July 2009 - 03:26 AM

  • This should remove the Viewpoint service from the registry as it remains in the registry even if you have removed the folder already. Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    sc stop "Viewpoint Manager Service"
    sc delete "Viewpoint Manager Service"


  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R3 - URLSearchHook: ScriptInocUI Class - - (no file)
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.
++++++++++++

About the slowness please consult this: Slow Computer/browser? Check Here First; It May Not Be Malware

A few tips from the given link I would certainly recommend:

1. Do a disk check to correct volume errors. To do that:

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
2. Defragment your computer now and do it in future regularly.

Please let me know if you have any question before we round off.

#15 cstone

cstone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 02 July 2009 - 08:41 PM

Hi again...I have completed the steps you outlined.

Stopped Viewpoint which allowed me to delete the ViewpoitnService.exe file and folders

Removed the HJT items...rescanned and confirmed that they are gone

Ran Defrag and CHKDSK (on reboot)

Re-ran MBAM...here's where the weirdness happens. You noticed it was taking a long time to run. So I watched it and noticed that it was going very slowing on scanning MANY entries...like a few seconds each on these:

c:\windows\downloaded program files\confict.139.\FP_AX_CAB_INSTALLER.exe [there were a couple hundred of these with ...\conflict.xxx\.... where xxx was between 1 and 200+

also, slow on scanning files like this:
c:\windows\assembly\gac\microsoft.jscript\11.0.0.0__71e9bci111e9429c\__AssemblyInfo__.ini


Now the weird part is...there are no files by these names on the PC at all. I turned on View Hidden/System folders/files and unchecked Hide Protected Operating System files....then looked in the Windows directory. These files/folders DO NOT exist. E.g. There is no directory GAC under C:\windows\assembly. Not visible anyway.

These are just 2 examples. For some reason, MBAM is trying to scan files that don't exist...or at least don't show up in Windows Explorer.

THus, I suspect some kind of file structure corruption...even tho I just ran CHKDSK. I checked the Trash...not there.

Any ideas on this???

Thanks in advance.
Charlie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users