Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got a virus, now Google and other sites will not open.


  • This topic is locked This topic is locked
56 replies to this topic

#1 Shainie27

Shainie27

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 24 July 2009 - 07:48 PM

Hello all. My son was browsing around the internet and got a virus message. He closed everything so I'm not exactly sure what it was, but he said something was trying to "take over" our computer. After that our google home page would not open. I tried to run our virus software, but when I double-clicked on the icon, nothing would happen. I then downloaded various spyware programs. The first 2 did the same thing as the virus software - would not open when double-clicked, nor when I right-clicked and hit run. Finally I got one spyware program to run, but google still will not open (also a couple other sites will not open - blogger.com for one). I have Google search up in my toolbar, but when I do a search in there "GALA SEARCH" comes up. And it's not even really a search engine, it just gives a few ads for searching software or something like that.

Here is the content of my dds report. Any help would be appreciated!:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Rae Ann at 19:35:49.20 on Fri 07/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.125 [GMT -5:00]

AV: Windows Security Suite *On-access scanning enabled* (Updated) {F6D4844A-EDE3-47A4-B946-0291CBAB4866}
AV: Windows Security Suite *On-access scanning enabled* (Updated) {F952E2F8-6FC3-45ED-B456-8104504EBEE5}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows Security Suite *On-access scanning enabled* (Updated) {CFD18118-005B-4E33-96B5-74D83B088069}
FW: Windows Security Suite *enabled* {905FCA85-2C2B-4684-BF9C-06FF9A76F996}
FW: Windows Security Suite *enabled* {6F292C9E-304A-4B85-B626-1BB844FD997A}
FW: Windows Security Suite *enabled* {7AE4C63A-9F2C-45B4-B916-F826B703B50F}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
D:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
D:\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\FinePixViewerS\QuickDCF2.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rae Ann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [HPIJetSend] d:\program files\hewlett-packard\photosmart\photo imaging\Hpi_JetSend.exe
mRun: [CXMon] "d:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [FlyMonitor] "d:\program files\leapfrog\flyworld\bin\FlyMonitor.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "d:\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - d:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - d:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1229832300_befb08e273ceef42f3eb18f9b038d20d&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-22 64160]
R1 avgio;avgio;d:\avira\antivir desktop\avgio.sys [2009-7-22 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\avira\antivir desktop\sched.exe [2009-7-22 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\avira\antivir desktop\avguard.exe [2009-7-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-22 55640]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-26 24652]
S2 gupdate1c9b4b3f24873f0;Google Update Service (gupdate1c9b4b3f24873f0);c:\program files\google\update\GoogleUpdate.exe [2009-4-3 133104]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-1-29 18560]

=============== Created Last 30 ================

2009-07-24 09:50 <DIR> --d----- c:\program files\AIM6
2009-07-23 17:54 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\WINSSSys
2009-07-23 09:37 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-22 23:28 <DIR> --d----- c:\docume~1\raeann~1\applic~1\Malwarebytes
2009-07-22 23:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 23:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-22 23:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-22 23:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 23:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-22 23:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-22 23:19 <DIR> --d----- c:\program files\Lavasoft
2009-07-22 15:29 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-22 15:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-22 13:49 <DIR> --d----- c:\docume~1\raeann~1\applic~1\AVG8
2009-07-22 13:08 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\5b229d4
2009-07-21 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\3DVIA
2009-07-21 12:17 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-07-21 12:17 <DIR> --d----- c:\program files\Virtools
2009-07-10 19:35 <DIR> --d----- c:\docume~1\raeann~1\applic~1\Aveyond 3
2009-07-10 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Artist Colony

==================== Find3M ====================

2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2004-08-04 07:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 19:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 19:11 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2008-04-13 19:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 19:12 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2008-04-13 19:12 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2008-04-13 19:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 19:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 19:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-12-21 09:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122120081222\index.dat

============= FINISH: 19:36:23.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 PM

Posted 25 July 2009 - 12:00 AM

Hello Shainie27,

Posted Image

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Shainie27

Shainie27
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 July 2009 - 10:06 AM

Combofix report:

ComboFix 09-07-24.01 - Rae Ann 07/25/2009 9:44.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.208 [GMT -5:00]
Running from: c:\documents and settings\Rae Ann\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\WINSSSys
c:\documents and settings\All Users\Application Data\WINSSSys\winss.cfg
c:\documents and settings\Bronson & Shane\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Security Suite.lnk
c:\documents and settings\Bronson & Shane\Application Data\Windows Security Suite
c:\documents and settings\Bronson & Shane\Desktop\Windows Security Suite.lnk
c:\documents and settings\Bronson & Shane\Start Menu\Programs\Windows Security Suite.lnk
c:\documents and settings\Bronson & Shane\Start Menu\Windows Security Suite.lnk
c:\documents and settings\Rae Ann\Application Data\.#
c:\documents and settings\Rae Ann\Application Data\.#\MBX@538@384190.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@538@3841C0.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@538@3841F0.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@794@384190.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@794@3841C0.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@794@3841F0.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@E00@384190.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@E00@3841C0.###
c:\documents and settings\Rae Ann\Application Data\.#\MBX@E00@3841F0.###
c:\windows\system32\img_utils.dll
c:\windows\system32\imgscaler.dll
c:\windows\system32\videocore.dll
c:\windows\system32\videoformat.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 01:23 . 2009-07-25 01:23 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\CupcakeCafe
2009-07-24 14:54 . 2009-07-24 14:54 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\acccore
2009-07-24 14:53 . 2009-07-24 14:53 -------- d-----w- c:\documents and settings\Rae Ann\Local Settings\Application Data\AOL OCP
2009-07-24 14:50 . 2009-07-24 14:53 -------- d-----w- c:\program files\AIM6
2009-07-23 14:37 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-23 04:28 . 2009-07-23 04:28 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\Malwarebytes
2009-07-23 04:28 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 04:28 . 2009-07-23 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-23 04:28 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-23 04:28 . 2009-07-23 04:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 04:20 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-23 04:19 . 2009-07-23 04:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 04:19 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-23 04:19 . 2009-07-23 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-23 04:19 . 2009-07-23 04:19 -------- d-----w- c:\program files\Lavasoft
2009-07-22 20:29 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-22 20:29 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-22 20:29 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-22 20:29 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-22 20:29 . 2009-07-22 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-22 18:49 . 2009-07-22 18:49 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\AVG8
2009-07-22 18:10 . 2009-07-22 18:11 2236416 ----a-w- c:\documents and settings\All Users\Application Data\5b229d4\WI5b22.exe
2009-07-22 18:08 . 2009-07-23 22:54 -------- d-sh--w- c:\documents and settings\All Users\Application Data\5b229d4
2009-07-21 22:52 . 2009-07-21 22:52 -------- d-----w- c:\documents and settings\Bronson & Shane\Local Settings\Application Data\Adobe
2009-07-21 17:18 . 2009-07-21 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2009-07-21 17:17 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-07-21 17:17 . 2009-07-21 17:17 -------- d-----w- c:\program files\Virtools
2009-07-15 20:35 . 2009-07-18 00:35 -------- d-----w- c:\documents and settings\Rae Ann\Local Settings\Application Data\Temp
2009-07-11 00:35 . 2009-07-11 00:35 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\Aveyond 3
2009-07-11 00:17 . 2009-07-11 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Artist Colony
2009-07-11 00:17 . 2009-07-11 00:17 -------- d-----w- c:\documents and settings\Rae Ann\Local Settings\Application Data\Artist Colony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 03:53 . 2008-12-23 02:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-25 00:18 . 2009-01-03 23:20 -------- d-----w- c:\program files\Shockwave.com
2009-07-24 14:52 . 2009-05-27 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-24 14:51 . 2009-05-27 02:17 -------- d-----w- c:\program files\Common Files\AOL
2009-07-24 00:28 . 2008-12-25 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 19:07 . 2008-12-30 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-22 19:06 . 2008-12-30 02:42 -------- d-----w- c:\program files\AVG
2009-07-18 00:36 . 2009-04-03 23:28 -------- d-----w- c:\program files\Google
2009-07-14 01:53 . 2009-04-13 23:14 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-10 23:45 . 2008-12-30 02:53 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\LimeWire
2009-07-01 00:13 . 2008-12-24 18:51 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\PlayFirst
2009-06-24 23:39 . 2009-06-24 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 01:55 . 2009-06-15 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2009-06-14 14:24 . 2009-06-14 14:11 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\U3
2009-06-13 00:43 . 2009-06-13 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 00:22 . 2009-06-03 00:22 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\YoudaGames
2009-06-02 19:35 . 2009-06-02 19:26 -------- d-----w- c:\program files\Sony Online Entertainment
2009-05-30 18:39 . 2009-05-30 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\mevo
2009-05-27 21:01 . 2009-05-27 21:01 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\Viewpoint
2009-05-27 02:19 . 2009-05-27 02:18 -------- d-----w- c:\program files\Viewpoint
2009-05-27 02:18 . 2009-05-27 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-27 02:18 . 2009-05-27 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-05-27 02:18 . 2009-05-27 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2004-08-04 12:00 . 2004-08-04 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-04 12:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-04 12:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 12:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 12:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 12:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-04 12:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 12:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-04 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"HPIJetSend"="d:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe" [2001-05-24 585728]
"CXMon"="d:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-05-24 45056]
"FlyMonitor"="d:\program files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [2008-05-13 664904]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="d:\avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - d:\program files\FinePixViewerS\QuickDCF2.exe [2008-12-25 303104]
WinZip Quick Pick.lnk - d:\program files\WinZip\WZQKPICK.EXE [2009-1-14 525664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_JetSend.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Leapfrog\\FlyWorld\\bin\\FLYMonitor.exe"=
"d:\\Program Files\\Leapfrog\\FlyWorld\\bin\\FLYWorld.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\5b229d4\\WI5b22.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2009 11:20 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\avira\AntiVir Desktop\sched.exe [7/22/2009 3:29 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/26/2009 9:19 PM 24652]
S2 gupdate1c9b4b3f24873f0;Google Update Service (gupdate1c9b4b3f24873f0);c:\program files\Google\Update\GoogleUpdate.exe [4/3/2009 6:28 PM 133104]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/29/2009 7:13 PM 18560]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 23:28]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 23:28]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPHUPD04 - c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 09:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-25 9:56
ComboFix-quarantined-files.txt 2009-07-25 14:56

Pre-Run: 2,556,301,312 bytes free
Post-Run: 3,621,597,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

187 --- E O F --- 2009-07-15 17:41

#4 Shainie27

Shainie27
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 July 2009 - 10:08 AM

Hijack This log (it said it was denied write access to the hosts file)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:18 AM, on 7/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir Desktop\sched.exe
D:\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
D:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
D:\Program Files\FinePixViewerS\QuickDCF2.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.ba
O1 - Hosts: 89.248.168.188 google.be
O1 - Hosts: 89.248.168.188 google.bg
O1 - Hosts: 89.248.168.188 google.bs
O1 - Hosts: 89.248.168.188 google.ca
O1 - Hosts: 89.248.168.188 google.cd
O1 - Hosts: 89.248.168.188 google.com.gh
O1 - Hosts: 89.248.168.188 google.com.hk
O1 - Hosts: 89.248.168.188 google.com.jm
O1 - Hosts: 89.248.168.188 google.com.mx
O1 - Hosts: 89.248.168.188 google.com.my
O1 - Hosts: 89.248.168.188 google.com.na
O1 - Hosts: 89.248.168.188 google.com.nf
O1 - Hosts: 89.248.168.188 google.com.ng
O1 - Hosts: 89.248.168.188 google.ch
O1 - Hosts: 89.248.168.188 google.com.np
O1 - Hosts: 89.248.168.188 google.com.pr
O1 - Hosts: 89.248.168.188 google.com.qa
O1 - Hosts: 89.248.168.188 google.com.sg
O1 - Hosts: 89.248.168.188 google.com.tj
O1 - Hosts: 89.248.168.188 google.com.tw
O1 - Hosts: 89.248.168.188 google.dj
O1 - Hosts: 89.248.168.188 google.de
O1 - Hosts: 89.248.168.188 google.dk
O1 - Hosts: 89.248.168.188 google.dm
O1 - Hosts: 89.248.168.188 google.ee
O1 - Hosts: 89.248.168.188 google.fi
O1 - Hosts: 89.248.168.188 google.fm
O1 - Hosts: 89.248.168.188 google.fr
O1 - Hosts: 89.248.168.188 google.ge
O1 - Hosts: 89.248.168.188 google.gg
O1 - Hosts: 89.248.168.188 google.gm
O1 - Hosts: 89.248.168.188 google.gr
O1 - Hosts: 89.248.168.188 google.ht
O1 - Hosts: 89.248.168.188 google.ie
O1 - Hosts: 89.248.168.188 google.im
O1 - Hosts: 89.248.168.188 google.in
O1 - Hosts: 89.248.168.188 google.it
O1 - Hosts: 89.248.168.188 google.ki
O1 - Hosts: 89.248.168.188 google.la
O1 - Hosts: 89.248.168.188 google.li
O1 - Hosts: 89.248.168.188 google.lv
O1 - Hosts: 89.248.168.188 google.ma
O1 - Hosts: 89.248.168.188 google.ms
O1 - Hosts: 89.248.168.188 google.mu
O1 - Hosts: 89.248.168.188 google.mw
O1 - Hosts: 89.248.168.188 google.nl
O1 - Hosts: 89.248.168.188 google.no
O1 - Hosts: 89.248.168.188 google.nr
O1 - Hosts: 89.248.168.188 google.nu
O1 - Hosts: 89.248.168.188 google.pl
O1 - Hosts: 89.248.168.188 google.pn
O1 - Hosts: 89.248.168.188 google.pt
O1 - Hosts: 89.248.168.188 google.ro
O1 - Hosts: 89.248.168.188 google.ru
O1 - Hosts: 89.248.168.188 google.rw
O1 - Hosts: 89.248.168.188 google.sc
O1 - Hosts: 89.248.168.188 google.se
O1 - Hosts: 89.248.168.188 google.sh
O1 - Hosts: 89.248.168.188 google.si
O1 - Hosts: 89.248.168.188 google.sm
O1 - Hosts: 89.248.168.188 google.sn
O1 - Hosts: 89.248.168.188 google.st
O1 - Hosts: 89.248.168.188 google.tl
O1 - Hosts: 89.248.168.188 google.tm
O1 - Hosts: 89.248.168.188 google.tt
O1 - Hosts: 89.248.168.188 google.us
O1 - Hosts: 89.248.168.188 google.vu
O1 - Hosts: 89.248.168.188 google.ws
O1 - Hosts: 89.248.168.188 google.co.ck
O1 - Hosts: 89.248.168.188 google.co.id
O1 - Hosts: 89.248.168.188 google.co.il
O1 - Hosts: 89.248.168.188 google.co.in
O1 - Hosts: 89.248.168.188 google.co.jp
O1 - Hosts: 89.248.168.188 google.co.kr
O1 - Hosts: 89.248.168.188 google.co.ls
O1 - Hosts: 89.248.168.188 google.co.ma
O1 - Hosts: 89.248.168.188 google.co.nz
O1 - Hosts: 89.248.168.188 google.co.tz
O1 - Hosts: 89.248.168.188 google.co.ug
O1 - Hosts: 89.248.168.188 google.co.uk
O1 - Hosts: 89.248.168.188 google.co.za
O1 - Hosts: 89.248.168.188 google.co.zm
O1 - Hosts: 89.248.168.188 google.com
O1 - Hosts: 89.248.168.188 google.com.af
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPIJetSend] D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
O4 - HKLM\..\Run: [CXMon] "d:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [FlyMonitor] "D:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...ows-i586-jc.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9b4b3f24873f0) (gupdate1c9b4b3f24873f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12123 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 PM

Posted 25 July 2009 - 02:54 PM

Hello there,

Download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program

Now please have another HijackThis scan and post the report. All those 01s are bad and that *should* take care of them. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Shainie27

Shainie27
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 July 2009 - 04:19 PM

When I open Hosts Xpert the first message that pops up is:

"Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit."

I hit OK and then get this message:

"Your HOSTS file is marked as a "hidden file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit."

I hit okay on that one too. Then the "Make Writable" is in red and doesn't do anything when I click it. I also cannot click Restore/Backup.

Did I do something wrong?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 PM

Posted 25 July 2009 - 04:26 PM

No ma'am, you did nothing wrong at all. Malware did this. We have to fix it though.....so run HijackThis and check all those 01s, click fix checked, close HijackThis and reboot your computer. Have another scan with HijackThis and see if all those are gone now. If not, then we'll do something else. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Shainie27

Shainie27
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 July 2009 - 04:54 PM

Checked all the O1's, clicked fix, rebooted, ran another scan, and they're back. :thumbup2:

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 PM

Posted 25 July 2009 - 05:06 PM

That's okay. I was kind of expecting that, but still hoping. :thumbup2: We'll do this then:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\drivers\etc\hosts


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), run HostsXpert again, then post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Shainie27

Shainie27
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 July 2009 - 05:24 PM

ComboFix 09-07-24.01 - Rae Ann 07/25/2009 17:12.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.219 [GMT -5:00]
Running from: c:\documents and settings\Rae Ann\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rae Ann\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 01:23 . 2009-07-25 01:23 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\CupcakeCafe
2009-07-24 14:54 . 2009-07-24 14:54 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\acccore
2009-07-24 14:53 . 2009-07-24 14:53 -------- d-----w- c:\documents and settings\Rae Ann\Local Settings\Application Data\AOL OCP
2009-07-24 14:50 . 2009-07-24 14:53 -------- d-----w- c:\program files\AIM6
2009-07-23 14:37 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-23 04:28 . 2009-07-23 04:28 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\Malwarebytes
2009-07-23 04:28 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 04:28 . 2009-07-23 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-23 04:28 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-23 04:28 . 2009-07-23 04:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 04:20 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-23 04:19 . 2009-07-23 04:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 04:19 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-23 04:19 . 2009-07-23 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-23 04:19 . 2009-07-23 04:19 -------- d-----w- c:\program files\Lavasoft
2009-07-22 20:29 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-22 20:29 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-22 20:29 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-22 20:29 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-22 20:29 . 2009-07-22 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-22 18:49 . 2009-07-22 18:49 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\AVG8
2009-07-22 18:10 . 2009-07-22 18:11 2236416 ----a-w- c:\documents and settings\All Users\Application Data\5b229d4\WI5b22.exe
2009-07-22 18:08 . 2009-07-23 22:54 -------- d-sh--w- c:\documents and settings\All Users\Application Data\5b229d4
2009-07-21 22:52 . 2009-07-21 22:52 -------- d-----w- c:\documents and settings\Bronson & Shane\Local Settings\Application Data\Adobe
2009-07-21 17:18 . 2009-07-21 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2009-07-21 17:17 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-07-21 17:17 . 2009-07-21 17:17 -------- d-----w- c:\program files\Virtools
2009-07-15 20:35 . 2009-07-18 00:35 -------- d-----w- c:\documents and settings\Rae Ann\Local Settings\Application Data\Temp
2009-07-11 00:35 . 2009-07-11 00:35 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\Aveyond 3
2009-07-11 00:17 . 2009-07-11 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Artist Colony
2009-07-11 00:17 . 2009-07-11 00:17 -------- d-----w- c:\documents and settings\Rae Ann\Local Settings\Application Data\Artist Colony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 18:58 . 2008-12-23 02:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-25 00:18 . 2009-01-03 23:20 -------- d-----w- c:\program files\Shockwave.com
2009-07-24 14:52 . 2009-05-27 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-24 14:51 . 2009-05-27 02:17 -------- d-----w- c:\program files\Common Files\AOL
2009-07-24 00:28 . 2008-12-25 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 19:07 . 2008-12-30 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-22 19:06 . 2008-12-30 02:42 -------- d-----w- c:\program files\AVG
2009-07-18 00:36 . 2009-04-03 23:28 -------- d-----w- c:\program files\Google
2009-07-14 01:53 . 2009-04-13 23:14 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-10 23:45 . 2008-12-30 02:53 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\LimeWire
2009-07-01 00:13 . 2008-12-24 18:51 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\PlayFirst
2009-06-24 23:39 . 2009-06-24 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 01:55 . 2009-06-15 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2009-06-14 14:24 . 2009-06-14 14:11 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\U3
2009-06-13 00:43 . 2009-06-13 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 00:22 . 2009-06-03 00:22 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\YoudaGames
2009-06-02 19:35 . 2009-06-02 19:26 -------- d-----w- c:\program files\Sony Online Entertainment
2009-05-30 18:39 . 2009-05-30 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\mevo
2009-05-27 21:01 . 2009-05-27 21:01 -------- d-----w- c:\documents and settings\Rae Ann\Application Data\Viewpoint
2009-05-27 02:19 . 2009-05-27 02:18 -------- d-----w- c:\program files\Viewpoint
2009-05-27 02:18 . 2009-05-27 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-27 02:18 . 2009-05-27 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-05-27 02:18 . 2009-05-27 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2004-08-04 12:00 . 2004-08-04 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-04 12:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-04 12:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 12:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 12:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 12:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-04 12:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 12:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-04 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-07-25_14.53.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-25 21:49 . 2009-07-25 21:49 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
- 2009-07-25 14:30 . 2009-07-25 14:30 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"HPIJetSend"="d:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe" [2001-05-24 585728]
"CXMon"="d:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-05-24 45056]
"FlyMonitor"="d:\program files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [2008-05-13 664904]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="d:\avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - d:\program files\FinePixViewerS\QuickDCF2.exe [2008-12-25 303104]
WinZip Quick Pick.lnk - d:\program files\WinZip\WZQKPICK.EXE [2009-1-14 525664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_JetSend.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Leapfrog\\FlyWorld\\bin\\FLYMonitor.exe"=
"d:\\Program Files\\Leapfrog\\FlyWorld\\bin\\FLYWorld.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\5b229d4\\WI5b22.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2009 11:20 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\avira\AntiVir Desktop\sched.exe [7/22/2009 3:29 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/26/2009 9:19 PM 24652]
S2 gupdate1c9b4b3f24873f0;Google Update Service (gupdate1c9b4b3f24873f0);c:\program files\Google\Update\GoogleUpdate.exe [4/3/2009 6:28 PM 133104]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/29/2009 7:13 PM 18560]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 23:28]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 23:28]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 17:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-25 17:22
ComboFix-quarantined-files.txt 2009-07-25 22:21
ComboFix2.txt 2009-07-25 14:56

Pre-Run: 3,625,099,264 bytes free
Post-Run: 3,603,316,736 bytes free

167 --- E O F --- 2009-07-15 17:41

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 PM

Posted 25 July 2009 - 05:27 PM

Hi there,

And HostsXpert and HijackThis log? :thumbup2:

After reboot, (in case it asks to reboot), run HostsXpert again, then post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Shainie27

Shainie27
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 July 2009 - 05:31 PM

I got the same messages from HostsXpert (about Hosts files)

Here is HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:17 PM, on 7/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir Desktop\sched.exe
D:\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
D:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
D:\Program Files\FinePixViewerS\QuickDCF2.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.ba
O1 - Hosts: 89.248.168.188 google.be
O1 - Hosts: 89.248.168.188 google.bg
O1 - Hosts: 89.248.168.188 google.bs
O1 - Hosts: 89.248.168.188 google.ca
O1 - Hosts: 89.248.168.188 google.cd
O1 - Hosts: 89.248.168.188 google.com.gh
O1 - Hosts: 89.248.168.188 google.com.hk
O1 - Hosts: 89.248.168.188 google.com.jm
O1 - Hosts: 89.248.168.188 google.com.mx
O1 - Hosts: 89.248.168.188 google.com.my
O1 - Hosts: 89.248.168.188 google.com.na
O1 - Hosts: 89.248.168.188 google.com.nf
O1 - Hosts: 89.248.168.188 google.com.ng
O1 - Hosts: 89.248.168.188 google.ch
O1 - Hosts: 89.248.168.188 google.com.np
O1 - Hosts: 89.248.168.188 google.com.pr
O1 - Hosts: 89.248.168.188 google.com.qa
O1 - Hosts: 89.248.168.188 google.com.sg
O1 - Hosts: 89.248.168.188 google.com.tj
O1 - Hosts: 89.248.168.188 google.com.tw
O1 - Hosts: 89.248.168.188 google.dj
O1 - Hosts: 89.248.168.188 google.de
O1 - Hosts: 89.248.168.188 google.dk
O1 - Hosts: 89.248.168.188 google.dm
O1 - Hosts: 89.248.168.188 google.ee
O1 - Hosts: 89.248.168.188 google.fi
O1 - Hosts: 89.248.168.188 google.fm
O1 - Hosts: 89.248.168.188 google.fr
O1 - Hosts: 89.248.168.188 google.ge
O1 - Hosts: 89.248.168.188 google.gg
O1 - Hosts: 89.248.168.188 google.gm
O1 - Hosts: 89.248.168.188 google.gr
O1 - Hosts: 89.248.168.188 google.ht
O1 - Hosts: 89.248.168.188 google.ie
O1 - Hosts: 89.248.168.188 google.im
O1 - Hosts: 89.248.168.188 google.in
O1 - Hosts: 89.248.168.188 google.it
O1 - Hosts: 89.248.168.188 google.ki
O1 - Hosts: 89.248.168.188 google.la
O1 - Hosts: 89.248.168.188 google.li
O1 - Hosts: 89.248.168.188 google.lv
O1 - Hosts: 89.248.168.188 google.ma
O1 - Hosts: 89.248.168.188 google.ms
O1 - Hosts: 89.248.168.188 google.mu
O1 - Hosts: 89.248.168.188 google.mw
O1 - Hosts: 89.248.168.188 google.nl
O1 - Hosts: 89.248.168.188 google.no
O1 - Hosts: 89.248.168.188 google.nr
O1 - Hosts: 89.248.168.188 google.nu
O1 - Hosts: 89.248.168.188 google.pl
O1 - Hosts: 89.248.168.188 google.pn
O1 - Hosts: 89.248.168.188 google.pt
O1 - Hosts: 89.248.168.188 google.ro
O1 - Hosts: 89.248.168.188 google.ru
O1 - Hosts: 89.248.168.188 google.rw
O1 - Hosts: 89.248.168.188 google.sc
O1 - Hosts: 89.248.168.188 google.se
O1 - Hosts: 89.248.168.188 google.sh
O1 - Hosts: 89.248.168.188 google.si
O1 - Hosts: 89.248.168.188 google.sm
O1 - Hosts: 89.248.168.188 google.sn
O1 - Hosts: 89.248.168.188 google.st
O1 - Hosts: 89.248.168.188 google.tl
O1 - Hosts: 89.248.168.188 google.tm
O1 - Hosts: 89.248.168.188 google.tt
O1 - Hosts: 89.248.168.188 google.us
O1 - Hosts: 89.248.168.188 google.vu
O1 - Hosts: 89.248.168.188 google.ws
O1 - Hosts: 89.248.168.188 google.co.ck
O1 - Hosts: 89.248.168.188 google.co.id
O1 - Hosts: 89.248.168.188 google.co.il
O1 - Hosts: 89.248.168.188 google.co.in
O1 - Hosts: 89.248.168.188 google.co.jp
O1 - Hosts: 89.248.168.188 google.co.kr
O1 - Hosts: 89.248.168.188 google.co.ls
O1 - Hosts: 89.248.168.188 google.co.ma
O1 - Hosts: 89.248.168.188 google.co.nz
O1 - Hosts: 89.248.168.188 google.co.tz
O1 - Hosts: 89.248.168.188 google.co.ug
O1 - Hosts: 89.248.168.188 google.co.uk
O1 - Hosts: 89.248.168.188 google.co.za
O1 - Hosts: 89.248.168.188 google.co.zm
O1 - Hosts: 89.248.168.188 google.com
O1 - Hosts: 89.248.168.188 google.com.af
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPIJetSend] D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_JetSend.exe
O4 - HKLM\..\Run: [CXMon] "d:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [FlyMonitor] "D:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...ows-i586-jc.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9b4b3f24873f0) (gupdate1c9b4b3f24873f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12173 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 PM

Posted 25 July 2009 - 05:38 PM

Stubborn! :thumbup2: Try the CFScript again in Safe Mode, please. Those have to go, one way or another.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Shainie27

Shainie27
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 July 2009 - 06:21 PM

You wanted me to create the CFScript and drag it to ComboFix in safe mode right? I couldn't find combofix while in safe mode - the icon wasn't on the desktop.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 PM

Posted 25 July 2009 - 06:27 PM

See if you can create a shortcut for the desktop from ComboFix.exe....that should be in C:\ComboFix

Don't worry if you can't, but it would be great if you can. :thumbup2: We still have other options.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users