Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

persistent search engine trojan/google redirect virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 blobomotob

blobomotob

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 14 July 2009 - 09:06 AM

Hello -first thanks to those of you willing to help out, I think this is an awesome site, and look forward to chatting with you guys-
My problem (#1), is the search engine trojan/google redirect virus, I have run several anti-spyware/anti-virus programs (all brand new, clean install) to no avail: SuperAnti-Spyware, Ad-aware, Zone Alarm anti-virus, Malawarebytes Anti-Malaware -they picked up a couple of things but they didn't solve the problem.

In addition I have a wierd problem (related?unrelated?) where my two internal cd drives (a dvd drive and a cdrrw) are listed twice in "my computer" ! -but not in device manager, and nor my harddrives (internal and external) nor my external dvdr have the same issue, this is how it shows in the explorer (Windows XP) example: E: Audio CD X - H: Audio CD X - F: Cartoons DVD - G: Cartoons DVD, if I click on either instance of the drive it takes me to the same place, so it appears some sort of drive management is simply reading them twice...

so, here is the DDS.txt (and Attach.txt is attached), thanks so much, if there is anything else needed, please let me know, and I'll check back by later!

DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Louis Zinser at 8:35:26.73 on Tue 07/14/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1393 [GMT -5:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Louis Zinser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [Sonic RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [atwtusb] atwtusb.exe beta
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
uPolicies-explorer: ForceActiveDesktopOn =
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\program files\eltima software\flash decompiler trillix\saveflash\iebt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-7-13 150544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-5-5 8576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-13 365448]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-14 00:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-14 00:14 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-14 00:14 <DIR> --d----- c:\docume~1\louisz~1\applic~1\SUPERAntiSpyware.com
2009-07-13 23:25 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-13 22:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================


============= FINISH: 8:37:59.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:57 AM

Posted 14 July 2009 - 12:14 PM

Hello blobomotob,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 blobomotob

blobomotob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 15 July 2009 - 08:40 AM

Tea -thanks for taking care of my other repeat posts, and thanks for the quick reply, I have run both the new combofix and highjackthis, here are the logs, we'll talk soon, B.


-COMBOFIX-

ComboFix 09-07-14.04 - Louis Zinser 07/14/2009 22:42.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1394 [GMT -5:00]
Running from: c:\documents and settings\Louis Zinser\Desktop\ComboFix.exe
AV: ZoneAlarm Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\cdmxtras
c:\windows\cdmxtras\uninst.exe
c:\windows\Installer\16c138ee.msi
c:\windows\Installer\92bdeb.msi
c:\windows\Installer\df76def.msp
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_105300.htm
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.gif
c:\windows\system32\cache329\B_329_1_0_449600.gif
c:\windows\system32\cache329\B_329_1_0_454300.gif
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_105300.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_105300.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_105300.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\Data
c:\windows\system32\drivers\hjgruiaoqnqvno.sys
c:\windows\system32\hjgruipumjugvu.dat
c:\windows\system32\hjgruiqawvpklg.dll
c:\windows\system32\hjgruiukxspemr.dll
c:\windows\system32\hjgruiydapjwxq.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiultoduty


((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 03:38 . 2009-07-15 04:07 9872160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-14 05:14 . 2009-07-15 03:39 117760 ----a-w- c:\documents and settings\Louis Zinser\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 05:14 . 2009-07-14 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-14 05:14 . 2009-07-14 05:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-14 05:14 . 2009-07-14 05:14 -------- d-----w- c:\documents and settings\Louis Zinser\Application Data\SUPERAntiSpyware.com
2009-07-14 04:25 . 2009-07-14 04:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 03:09 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 03:09 . 2009-07-14 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 03:09 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 20:57 . 2009-07-13 22:26 -------- d-----w- c:\windows\system32\NtmsData
2009-07-13 19:43 . 2009-07-13 19:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-13 15:55 . 2009-07-13 15:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-13 15:55 . 2009-07-13 15:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-13 15:35 . 2009-05-29 01:25 72584 ----a-w- c:\windows\zllsputility.exe
2009-07-13 15:34 . 2009-05-29 01:25 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-07-13 15:34 . 2009-05-29 01:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-07-13 15:34 . 2009-05-29 01:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-28 15:03 . 2009-06-28 15:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-15 15:46 . 2009-06-15 15:46 152576 ----a-w- c:\documents and settings\Louis Zinser\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 03:38 . 2009-07-15 03:38 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-14 05:14 . 2008-09-10 05:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 03:58 . 2005-03-15 02:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-13 19:50 . 2009-07-13 19:50 109358 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_13_10_13_25_small.dmp.zip
2009-07-13 19:50 . 2009-07-13 19:50 108188 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_13_10_13_00_small.dmp.zip
2009-07-13 19:50 . 2009-07-13 19:50 562489 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_13_09_58_32_small.dmp.zip
2009-07-13 15:39 . 2009-07-13 19:45 1950208 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-07-13 15:39 . 2009-07-13 19:45 24576 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-28 15:05 . 2006-03-16 02:09 -------- d-----w- c:\documents and settings\Louis Zinser\Application Data\uTorrent
2009-05-15 04:11 . 2009-05-15 04:10 307200 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\lyrics\SeekLyrics.dll
2009-05-15 04:10 . 2009-05-15 04:10 286720 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\lyrics\LyricsOnDemand.dll
2009-05-15 04:10 . 2009-05-15 04:10 311296 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\lyrics\LyricsVault.dll
2009-05-15 04:10 . 2009-05-15 04:10 307200 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\lyrics\LyricsDemon.dll
2009-05-15 04:10 . 2009-05-15 04:10 286720 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\lyrics\AstraLyrics.dll
2009-05-15 04:10 . 2009-05-15 04:10 339968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\general\allmusic.dll
2009-05-15 04:10 . 2009-05-15 04:10 413696 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\general\amazon.dll
2009-05-15 04:10 . 2009-05-15 04:10 331776 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\general\sonybmg.dll
2009-05-15 04:10 . 2009-05-15 04:10 311296 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\general\musicline.dll
2009-05-15 04:10 . 2009-05-15 04:10 339968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\general\connect.dll
2009-05-15 04:10 . 2009-05-15 04:10 311296 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\AutoTag\general\mp3com.dll
2009-05-13 05:15 . 2003-07-16 16:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 15:08 . 2005-03-11 22:19 225264 -c--a-w- c:\documents and settings\Louis Zinser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 13:35 . 2006-09-04 18:53 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-07 15:32 . 2003-07-16 16:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2003-07-16 16:45 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 17:16 . 2009-05-04 12:39 209852 ----a-w- c:\windows\Fonts\Verlag-BoldItalic.ttf
2009-04-16 17:15 . 2009-05-04 12:39 31792 ----a-w- c:\windows\Fonts\Ziggurat-HTF-Black.otf
2009-04-16 17:14 . 2009-05-04 12:39 33560 ----a-w- c:\windows\Fonts\WhitneyHTF-Black.otf
2009-04-16 17:13 . 2009-05-04 12:39 24852 ----a-w- c:\windows\Fonts\Mercury-NumericG1Semibold.otf
2009-04-16 17:12 . 2009-05-04 12:39 48512 ----a-w- c:\windows\Fonts\HoeflerText-BlackItalicSwash.otf
2009-04-16 17:11 . 2009-05-04 12:39 38848 ----a-w- c:\windows\Fonts\DidotHTF-11Medium.otf
2009-04-16 17:09 . 2009-05-04 12:39 20708 ----a-w- c:\windows\Fonts\Champion-HTF-Welterweight.otf
2009-04-16 17:09 . 2009-05-04 12:39 21012 ----a-w- c:\windows\Fonts\Champion-HTF-Middleweight.otf
2009-04-16 17:09 . 2009-05-04 12:39 21500 ----a-w- c:\windows\Fonts\Champion-HTF-Heavyweight.otf
2009-04-16 17:09 . 2009-05-04 12:39 19064 ----a-w- c:\windows\Fonts\Champion-HTF-Flyweight.otf
2009-04-16 17:08 . 2009-05-04 12:39 19984 ----a-w- c:\windows\Fonts\Champion-HTF-Featherweight.otf
2009-04-16 17:08 . 2009-05-04 12:39 19128 ----a-w- c:\windows\Fonts\Champion-HTF-Bantamweight.otf
2009-04-16 17:08 . 2009-05-04 12:39 12964 ----a-w- c:\windows\Fonts\Appellation-HTF.otf
2009-04-16 17:08 . 2009-05-04 12:39 27080 ----a-w- c:\windows\Fonts\AcropolisHTF-BlackItalic.otf
2009-04-16 17:06 . 2009-05-04 12:39 25764 ----a-w- c:\windows\Fonts\AcropolisHTF-Black.otf
2009-04-16 17:06 . 2009-05-04 12:39 20304 ----a-w- c:\windows\Fonts\Champion-HTF-Lightweight.otf
2009-06-19 12:04 . 2009-01-24 02:21 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-09 94208]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-07 2387968]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-09 180269]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"atwtusb"="atwtusb.exe" - c:\windows\system32\atwtusb.exe [2002-04-23 184320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Internet\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [5/5/2008 10:42 AM 8576]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-07-14 c:\windows\Tasks\User_Feed_Synchronization-{E21C49E8-AEED-4546-B854-E1434FA4ED79}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2009-07-15 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 03:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Louis Zinser\Application Data\Mozilla\Firefox\Profiles\tzoqpyxc.default\
FF - plugin: c:\documents and settings\Louis Zinser\Application Data\Mozilla\Firefox\Profiles\tzoqpyxc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\LOUISZ~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Louis Zinser\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.
Completion time: 2009-07-15 23:11
ComboFix-quarantined-files.txt 2009-07-15 04:11

Pre-Run: 6,187,868,160 bytes free
Post-Run: 8,737,996,800 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
241 --- E O F --- 2009-07-14 08:00






-HIGHJACKTHIS-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:05 AM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9662 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:57 AM

Posted 15 July 2009 - 11:25 AM

Hi there,

You're welcome. :thumbup2:

Those look really good, and ComboFix got the nasty that was redirecting you.....how is it running now?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 blobomotob

blobomotob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 15 July 2009 - 11:35 PM

Tea, 30 minutes in today, it seems to have worked great as far as I can tell, THANKS!!! (Even the dupe drive situation is remedied!) However, I do have one question, the HijackThis log includes a bunch of stuff I don't really understand, along with other things I seem to think don't belong, or are unnecessary, for example, YahooCompanion, Spybot, Bonjour Service, Windows Genuine Advantage Validation Tool, etc...

I have taken screen shots, and would appreciate if you could look at them as well, they may all be a-okay in which case I will leave them alone, please advise, see below:
Posted Image
Posted Image

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:57 AM

Posted 16 July 2009 - 12:18 AM

Hi there,

You're welcome. :)

Everything in that log is all right. :thumbup2: There are some things that could be pared off to make your boot time faster, but even those are legit. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Great tips and info-----> http://mvps.org/winhelp2002/unwanted.htm

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:57 AM

Posted 22 July 2009 - 10:10 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users