Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search links hijacked


  • This topic is locked This topic is locked
8 replies to this topic

#1 yanmatt

yanmatt

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 27 June 2009 - 01:47 PM

Yesterday I noticed that my google search links were being hijacked, I use primarily firefox, upon investigation I noticed that my bit defender anti virus program had expired a few days ago. I reactivated bit defender and ran malwarebytes, stop zilla, and super anti spyware. These program found problems but the hijacked links did not go away. Thanks in advance for your help.



DDS (Ver_09-06-26.01) - NTFSx86
Run by DELL at 12:32:49.17 on Sat 06/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.300 [GMT -6:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\HughesNet Tools\bin\mpbtn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DELL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://edition.cnn.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {E16DC1FE-7C34-43F2-B754-F3AD12DDF97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Motive SmartBridge] c:\progra~1\hughes~1\smartb~1\MotiveSB.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hughes~1.lnk - c:\program files\hughesnet tools\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232304016250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {7EAE40D1-91A6-4739-AE70-C5F11D7C2720} = 190.92.11.18,190.92.0.5
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dell\applic~1\mozilla\firefox\profiles\0i7polu1.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://edition.cnn.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-12 104328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S2 gupdate1c99c589ec7cb5e;Google Update Service (gupdate1c99c589ec7cb5e);c:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]

=============== Created Last 30 ================

2009-06-27 12:14 576 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-06-27 12:12 752 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-06-26 21:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-06-26 21:55 <DIR> --d----- c:\program files\STOPzilla!
2009-06-26 21:55 <DIR> --d----- c:\program files\common files\iS3
2009-06-26 21:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-06-26 19:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-26 19:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-26 19:49 <DIR> --d----- c:\docume~1\dell\applic~1\SUPERAntiSpyware.com
2009-06-26 19:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-26 17:26 850 a------- c:\windows\system32\ProductTweaks.xml
2009-06-26 17:26 385 a------- c:\windows\system32\user_gensett.xml
2009-06-26 17:21 <DIR> --d----- c:\docume~1\dell\applic~1\Malwarebytes
2009-06-26 17:21 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 17:21 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-26 17:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 17:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-26 14:35 <DIR> --d----- c:\docume~1\dell\applic~1\BitDefender
2009-06-26 14:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-05-28 14:16 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-05-28 14:15 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-05-28 14:14 540,672 a----r-- c:\windows\system32\SZComp5.dll

==================== Find3M ====================

2009-06-27 09:16 81,984 a------- c:\windows\system32\bdod.bin
2009-05-12 14:13 61,328 a----r-- c:\windows\system32\drivers\SZKG.sys

============= FINISH: 12:34:45.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:37 PM

Posted 27 June 2009 - 08:06 PM

Hello yanmatt,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 yanmatt

yanmatt
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 28 June 2009 - 08:02 AM

Thanks for your help!! Here are the two logs.


ComboFix 09-06-26.02 - DELL 06/28/2009 6:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.597 [GMT -6:00]
Running from: c:\documents and settings\DELL\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\SKYNETdqvxoxvp.sys
c:\windows\system32\SKYNETkyiqtmyp.dat
c:\windows\system32\SKYNETwcdrubsw.dll
c:\windows\system32\SKYNETwfshtupk.dll
c:\windows\system32\SKYNETwkjoveoe.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETbwemrsti


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-27 18:56 . 2009-06-27 18:58 -------- d-----w- C:\HJT
2009-06-27 03:58 . 2009-06-27 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-06-27 03:55 . 2009-06-27 03:55 -------- d-----w- c:\program files\STOPzilla!
2009-06-27 03:55 . 2009-06-28 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-06-27 03:55 . 2009-06-27 03:55 -------- d-----w- c:\program files\Common Files\iS3
2009-06-27 01:51 . 2009-06-28 12:02 117760 ----a-w- c:\documents and settings\DELL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 01:49 . 2009-06-27 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 01:49 . 2009-06-27 01:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 01:49 . 2009-06-27 01:49 -------- d-----w- c:\documents and settings\DELL\Application Data\SUPERAntiSpyware.com
2009-06-27 01:49 . 2009-06-27 01:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-26 23:21 . 2009-06-26 23:21 -------- d-----w- c:\documents and settings\DELL\Application Data\Malwarebytes
2009-06-26 23:21 . 2009-06-17 17:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 23:21 . 2009-06-26 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 23:21 . 2009-06-26 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 23:21 . 2009-06-17 17:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 20:35 . 2009-06-26 20:35 -------- d-----w- c:\documents and settings\DELL\Application Data\BitDefender
2009-06-26 20:35 . 2009-06-26 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-06-14 02:20 . 2009-06-14 02:20 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 12:35 . 2009-06-28 12:35 424 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-06-28 12:35 . 2009-06-28 12:34 608 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-06-28 12:33 . 2008-07-22 13:21 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-26 21:15 . 2008-06-07 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-26 20:35 . 2008-07-22 12:54 -------- d-----w- c:\program files\BitDefender
2009-06-26 20:35 . 2008-07-22 12:53 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-26 11:22 . 2008-06-07 20:03 -------- d-----w- c:\program files\Google
2009-05-28 20:16 . 2009-05-28 20:16 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-05-28 20:15 . 2009-05-28 20:15 294912 ----a-r- c:\windows\system32\SZBase5.dll
2009-05-28 20:14 . 2009-05-28 20:14 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-05-28 11:50 . 2009-05-28 11:50 488960 ----a-w- c:\documents and settings\DELL\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv302-0811070-0-main.dll
2009-05-28 11:50 . 2009-05-28 11:50 319488 ----a-w- c:\documents and settings\DELL\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-05-14 19:46 . 2009-05-14 19:46 25214 ----a-r- c:\documents and settings\DELL\Application Data\Microsoft\Installer\{7114A3D3-617B-42AC-BE03-1E47C062C687}\ARPPRODUCTICON.exe
2009-05-12 20:13 . 2009-05-12 20:13 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-05-09 20:39 . 2008-06-07 02:08 -------- d-----w- c:\program files\Microsoft Small Business
2009-05-09 20:31 . 2008-06-07 02:05 -------- d-----w- c:\program files\Microsoft SQL Server
2009-05-09 19:30 . 2008-10-04 04:27 -------- d-----w- c:\program files\Yahoo!
2009-05-09 19:22 . 2008-09-15 15:49 -------- d-----w- c:\program files\Duplicate Music Files Finder
2009-05-09 13:02 . 2009-05-09 04:37 -------- d-----w- c:\documents and settings\DELL\Application Data\Check Identical Files
2009-05-09 04:37 . 2009-05-09 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\DSNO
2009-05-09 04:30 . 2009-05-09 04:30 -------- d-----w- c:\documents and settings\DELL\Application Data\Reasonable Software House Ltd
2009-03-06 00:08 . 2009-06-26 20:44 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
[7] 2004-08-10 11:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe
[7] 2004-08-10 11:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\dllcache\svchost.exe

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[7] 2004-08-10 11:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\system32\user32.dll
[7] 2004-08-10 11:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\system32\dllcache\user32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[7] 2004-08-10 11:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll
[7] 2004-08-10 11:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\dllcache\ws2_32.dll

[7] 2008-04-21 06:56 666624 2E7DE1BF9418B071799EB53DE8CC22F5 c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[7] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[7] 2008-06-23 16:12 667136 611ACE3F4201E9610AF8452F7C268995 c:\windows\$hf_mig$\KB953838\SP2QFE\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
[7] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[7] 2004-08-10 11:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB950759$\wininet.dll
[7] 2008-04-21 07:04 659456 1EFB8A3EA8454AEC1BB8A240A2845598 c:\windows\$NtUninstallKB953838$\wininet.dll
[7] 2008-06-23 15:38 659456 9EEA04BC4C3FA521D256D89940FAB4DB c:\windows\SoftwareDistribution\Download\7266a4d025877b3f91e09ddc873eafd6\sp2gdr\wininet.dll
[7] 2008-06-23 16:12 667136 611ACE3F4201E9610AF8452F7C268995 c:\windows\SoftwareDistribution\Download\7266a4d025877b3f91e09ddc873eafd6\sp2qfe\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\SoftwareDistribution\Download\7266a4d025877b3f91e09ddc873eafd6\sp3gdr\wininet.dll
[7] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\SoftwareDistribution\Download\7266a4d025877b3f91e09ddc873eafd6\sp3qfe\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wininet.dll
[7] 2008-06-23 15:38 659456 9EEA04BC4C3FA521D256D89940FAB4DB c:\windows\system32\wininet.dll
[7] 2008-06-23 15:38 659456 9EEA04BC4C3FA521D256D89940FAB4DB c:\windows\system32\dllcache\wininet.dll

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-10 11:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[7] 2004-08-10 11:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe
[7] 2004-08-10 11:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[7] 2004-08-10 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys
[7] 2004-08-10 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
[7] 2004-08-10 11:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\dllcache\ip6fw.sys
[7] 2004-08-10 11:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntkrnlpa.exe
[7] 2004-08-10 11:00 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\system32\ntkrnlpa.exe

[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[7] 2004-08-10 11:00 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\system32\ntoskrnl.exe

[7] 2004-08-10 11:00 1032192 A0732187050030AE399B241436565E64 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[7] 2004-08-10 11:00 1032192 A0732187050030AE399B241436565E64 c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe
[7] 2004-08-10 11:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\system32\services.exe
[7] 2004-08-10 11:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\system32\dllcache\services.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsass.exe
[7] 2004-08-10 11:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe
[7] 2004-08-10 11:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\dllcache\lsass.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
[7] 2004-08-10 11:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe
[7] 2004-08-10 11:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\dllcache\ctfmon.exe

[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe
[7] 2004-08-10 11:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\system32\spoolsv.exe
[7] 2004-08-10 11:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\system32\dllcache\spoolsv.exe

[-] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wuauclt.exe
[7] 2007-07-31 01:19 53080 F3E9065EB617A7E3A832A7976BFA021B c:\windows\system32\wuauclt.exe
[7] 2007-07-31 01:19 53080 F3E9065EB617A7E3A832A7976BFA021B c:\windows\system32\dllcache\wuauclt.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
[7] 2004-08-10 11:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe
[7] 2004-08-10 11:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\dllcache\userinit.exe

[7] 2004-08-10 11:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtUninstallKB895961$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
[7] 2005-03-10 07:49 295424 C29A5286E64D97385178452D5F307B98 c:\windows\system32\termsrv.dll
[7] 2005-03-10 07:49 295424 C29A5286E64D97385178452D5F307B98 c:\windows\system32\dllcache\termsrv.dll

[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kernel32.dll
[7] 2004-08-10 11:00 983552 888190E31455FAD793312F8D087146EB c:\windows\system32\kernel32.dll
[7] 2004-08-10 11:00 983552 888190E31455FAD793312F8D087146EB c:\windows\system32\dllcache\kernel32.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\powrprof.dll
[7] 2004-08-10 11:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll
[7] 2004-08-10 11:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\dllcache\powrprof.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\imm32.dll
[7] 2004-08-10 11:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll
[7] 2004-08-10 11:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\dllcache\imm32.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sfcfiles.dll
[7] 2004-08-10 11:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll
[7] 2004-08-10 11:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\dllcache\sfcfiles.dll

[-] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\appmgmts.dll
[7] 2004-08-10 11:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\system32\appmgmts.dll
[7] 2004-08-10 11:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\system32\dllcache\appmgmts.dll

[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kbdclass.sys
[7] 2004-08-10 11:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-07 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"Motive SmartBridge"="c:\progra~1\HUGHES~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-08 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-10 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HughesNet Tools.lnk - c:\program files\HughesNet Tools\bin\matcli.exe [2008-9-13 217088]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104328]
S2 gupdate1c99c589ec7cb5e;Google Update Service (gupdate1c99c589ec7cb5e);c:\program files\Google\Update\GoogleUpdate.exe [3/3/2009 5:34 PM 133104]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-07 12:48]

2009-06-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 23:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://edition.cnn.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
TCP: {7EAE40D1-91A6-4739-AE70-C5F11D7C2720} = 190.92.11.18,190.92.0.5
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\DELL\Application Data\Mozilla\Firefox\Profiles\0i7polu1.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://edition.cnn.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 06:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1284)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1340)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
Completion time: 2009-06-28 6:51
ComboFix-quarantined-files.txt 2009-06-28 12:51

Pre-Run: 28,833,959,936 bytes free
Post-Run: 29,657,845,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

273









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:05 AM, on 6/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edition.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HughesNet Tools.lnk = C:\Program Files\HughesNet Tools\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232304016250
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EAE40D1-91A6-4739-AE70-C5F11D7C2720}: NameServer = 190.92.11.18,190.92.0.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c99c589ec7cb5e) (gupdate1c99c589ec7cb5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9533 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:37 PM

Posted 28 June 2009 - 05:05 PM

Hello,

Looks better. :thumbup2: How is it running please?

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Please be sure MBAM is updated and have a scan with it. Post the report in your reply, if there is anything to post. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 yanmatt

yanmatt
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 28 June 2009 - 08:44 PM

Hello Tea,

Thanks for your help!

There are no more google links being hijacked. System is running much better.

The 3 entries that you mentioned were present, when I ran Hijackthis, I did fix them.

Below is the report from MBAM.

While running MBAM, my bit defender alerted me to a virus it had quarantined, Gen:RootKit.Heur.4018E7A6A6

Yanmatt.



Malwarebytes' Anti-Malware 1.38
Database version: 2347
Windows 5.1.2600 Service Pack 2

6/28/2009 6:51:36 PM
mbam-log-2009-06-28 (18-51-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 177502
Time elapsed: 1 hour(s), 2 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\SKYNETwfshtupk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{572905c2-a0da-4f4d-a61a-aa6f620c1e0d}\RP332\A0074729.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:37 PM

Posted 28 June 2009 - 08:56 PM

Hello,

You're welcome. :)

Both of those entries are all right....not a threat to you. One was in System Restore (We'll clear those out. :thumbup2: ) and the other is in ComboFix's quarantine (Qoobox).

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Now see if BitDefender has anything to say. :) I'm betting not.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 yanmatt

yanmatt
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 29 June 2009 - 08:37 AM

Tea,

Ok, performed the requested tasks, no problems present.

Is it ok for me to run stopzilla, MBAM, and Bit defender on my computer?

Many thanks!
yanmatt

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:37 PM

Posted 29 June 2009 - 08:45 AM

Good morning :)

You're most welcome. :)

Yes, it's all right to have those running together. They each do something different and don't usually clash. :thumbup2:

http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:37 PM

Posted 30 June 2009 - 05:42 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users