Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Redirection


  • This topic is locked This topic is locked
23 replies to this topic

#1 attorneyillinois

attorneyillinois

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 August 2009 - 12:48 AM

Like others, I seem to be cursed with some malware that causes firefox search results to redirect to random pages.

I used MBAM to remove some malware (microsoft antivirus) but the problem persists.

DDS log (both), HJT log and last MBAM log (quick scan) are set forth below.

Many thanks.






DDS (Ver_09-07-30.01) - NTFSx86
Run by TCP at 0:37:05.81 on Wed 08/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.77 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:Program FilesCommon FilesVirtual Tokenvtserver.exe
C:WINDOWSsystem32ibmpmsvc.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesAskBarDisbarbinAskService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCarboniteCarbonite Backupcarboniteservice.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesIBMIBM Rapid Restore Ultrarrpcsb.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesSynapticsSynTPSynTPLpr.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSsystem32TpShocks.exe
C:PROGRA~1ThinkPadPkgMgrHOTKEYTPHKMGR.exe
C:PROGRA~1ThinkPadUTILIT~1EzEjMnAp.Exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesIBMMessages By IBMibmmessages.exe
C:IBMTOOLSUTILSibmprc.exe
C:Program FilesThinkPadPkgMgrHOTKEYTPONSCR.exe
C:Program FilesThinkPadConnectUtilitiesQCWLICON.EXE
C:Program FilesThinkPadPkgMgrHOTKEY_1TpScrex.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSSystem32QCONSVC.EXE
C:Program FilesJavajre6binjusched.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe
C:Program FilesYahoo!Search ProtectionSearchProtection.exe
C:Program FilesQuickTimeQTTask.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesCommon FilesResearch In MotionAuto UpdateRIMAutoUpdate.exe
C:Program FilesCarboniteCarbonite BackupCarboniteUI.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:GarmingStart.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
C:Program FilesDigital Line DetectDLG.exe
C:WINDOWSsystem32taskmgr.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSSystem32TPHDEXLG.EXE
C:WINDOWSsystem32TpKmpSVC.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:WINDOWSsystem32wuauclt.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Documents and SettingsTCPDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 6.0acrobatactivexAcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:program filesaskbardisbarbinaskBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:program filesyahoo!commonyiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlatfswshx.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.3572swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:program filesaskbardisbarbinaskBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:progra~1yahoo!commonyhexbmesus.dll
uRun: [ibmmessages] c:program filesibmmessages by ibmibmmessages.exe
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [gStart] c:garmingStart.exe
uRun: [YSearchProtection] c:program filesyahoo!search protectionSearchProtection.exe
uRun: [Search Protection] c:program filesyahoo!search protectionSearchProtection.exe
uRun: [ISUSPM] "c:program filescommon filesinstallshieldupdateserviceISUSPM.exe" -scheduler
mRun: [SynTPLpr] c:program filessynapticssyntpSynTPLpr.exe
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [TPKMAPHELPER] c:program filesthinkpadutilitiesTpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:progra~1thinkpadpkgmgrhotkeyTPHKMGR.exe
mRun: [ControlCenter] "c:program filesibm fingerprint softwarectlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:progra~1thinkpadutilit~1EzEjMnAp.Exe
mRun: [ATIPTA] c:program filesati technologiesati control panelatiptaxx.exe
mRun: [UC_Start] c:program filesibmupdaterucstartup.exe
mRun: [UC_SMB]
mRun: [UpdateManager] "c:program filescommon filessonicupdate managersgtray.exe" /r
mRun: [dla] c:windowssystem32dlatfswctrl.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:program filesibmmessages by ibmibmmessages.exe
mRun: [IBMPRC] c:ibmtoolsutilsibmprc.exe
mRun: [QCWLICON] c:program filesthinkpadconnectutilitiesQCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:progra~1thinkpadutilit~1PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Share-to-Web Namespace Daemon] c:program fileshewlett-packardhp share-to-webhpgs2wnd.exe
mRun: [YSearchProtection] "c:program filesyahoo!search protectionSearchProtection.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:program filescommon filesresearch in motionauto updateRIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:program filescommon filesroxio shared9.0sharedcomRoxWatchTray9.exe"
mRun: [Carbonite Backup] c:program filescarbonitecarbonite backupCarboniteUI.exe
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupacroba~1.lnk - c:program filesadobeacrobat 6.0distillracrotray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupdigita~1.lnk - c:program filesdigital line detectDLG.exe
IE: &Yahoo! Search - file:///c:program filesyahoo!Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:program filesyahoo!Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:program filesyahoo!Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:program filesyahoo!Common/ycsms.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:program filesyahoo!commonyiesrvc.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/YahooDownload/AxLoader.cab
DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} - hxxp://64.107.106.116/inc/imgearv1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: psfus - c:program filesibm fingerprint softwarepsfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:docume~1tcpapplic~1mozillafirefoxprofiles2q5a9d4b.default
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:program filesavgavg8firefoxcomponentsavgssff.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1536.6592npCIDetect13.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:windowssystem32driversshockprf.sys [2005-7-29 59776]
R0 TPDiskPM;TPDiskPM;c:windowssystem32driversTPDiskPM.sys [2005-7-29 14208]
R1 ANC;ANC;c:windowssystem32driversANC.sys [2005-7-29 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-6-2 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-6-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-6-2 108552]
R1 IBMTPCHK;IBMTPCHK;c:windowssystem32driversIBMBLDID.SYS [2005-7-29 2432]
R1 ShockMgr;ShockMgr;c:windowssystem32driversShockMgr.sys [2005-7-29 4608]
R1 TPPWRIF;TPPWRIF;c:windowssystem32driversTPPWRIF.SYS [2005-7-29 4442]
R2 ASKService;ASKService;c:program filesaskbardisbarbinAskService.exe [2008-12-2 464264]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-6-2 298776]
R2 ibmfilter;ibmfilter;c:windowssystem32driversibmfilter.sys [2004-12-16 63616]
R3 TPInput;TPInput;c:windowssystem32driversTPInput.sys [2005-7-29 6016]
S2 ASKUpgrade;ASKUpgrade;c:program filesaskbardisbarbinASKUpgrade.exe [2008-12-2 234888]
S2 jamptxyvq;jamptxyvq;??c:windowssystem32driversvprujhlp.sys --> c:windowssystem32driversvprujhlp.sys [?]
S3 QCNDISIF;QCNDISIF;c:windowssystem32driversqcndisif.sys [2005-7-29 12288]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:windowssystem32driversucdnt.sys [2004-1-26 728083]

=============== Created Last 30 ================

2009-08-26 00:27 <DIR> --d----- c:program filesTrend Micro
2009-08-25 23:31 411,368 a------- c:windowssystem32deploytk.dll
2009-08-25 23:31 73,728 a------- c:windowssystem32javacpl.cpl
2009-08-25 17:34 <DIR> --d----- C:spoolerlogs

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:windowssystem32driversmbam.sys
2009-07-20 06:55 335,752 a------- c:windowssystem32driversavgldx86.sys
2009-06-25 08:40 11,952 a------- c:windowssystem32avgrsstx.dll
2005-05-12 08:49 3,136 a------- c:docume~1tcpapplic~1mpauth.dat
2005-01-18 11:03 53,008 a------- c:docume~1tcpapplic~1GDIPFONTCACHEV1.DAT
2001-12-22 19:08 262,144 a------- c:documents and settingsall usersNTUSER(1).DAT

============= FINISH: 0:38:55.60 ===============









UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: DeviceHarddiskVolume1
Install Date: 8/5/2005 10:49:14 AM
System Uptime: 8/26/2009 12:11:56 AM (0 hours ago)

Motherboard: IBM | | 2686DHU
Processor: Intel® Pentium® M processor 1.73GHz | None | 1729/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 52 GiB total, 14.278 GiB free.
D: is CDROM (UDF)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP799: 8/25/2009 5:24:43 PM - System Checkpoint
RP800: 8/25/2009 5:24:45 PM - System Checkpoint
RP801: 8/25/2009 5:24:46 PM - Removed AVG 7.5
RP802: 8/25/2009 5:24:47 PM - Installed AVG 7.5
RP803: 8/25/2009 5:24:48 PM - System Checkpoint
RP804: 8/25/2009 5:24:48 PM - System Checkpoint
RP805: 8/25/2009 5:24:49 PM - Installed AVG Free 8.5
RP806: 8/25/2009 5:24:49 PM - Avg8 Update
RP807: 8/25/2009 5:24:50 PM - Avg8 Update
RP808: 8/25/2009 5:24:50 PM - System Checkpoint
RP809: 8/25/2009 5:24:51 PM - System Checkpoint
RP810: 8/25/2009 5:24:52 PM - System Checkpoint
RP811: 8/25/2009 5:24:52 PM - System Checkpoint
RP812: 8/25/2009 5:24:52 PM - System Checkpoint
RP813: 8/25/2009 5:24:53 PM - System Checkpoint
RP814: 8/25/2009 5:24:53 PM - System Checkpoint
RP815: 8/25/2009 5:24:53 PM - System Checkpoint
RP816: 8/25/2009 5:24:54 PM - System Checkpoint
RP817: 8/25/2009 5:24:54 PM - System Checkpoint
RP818: 8/25/2009 5:24:55 PM - System Checkpoint
RP819: 8/25/2009 5:24:55 PM - System Checkpoint
RP820: 8/25/2009 5:24:56 PM - System Checkpoint
RP821: 8/25/2009 5:24:57 PM - Avg8 Update
RP822: 8/25/2009 5:24:57 PM - Avg8 Update
RP823: 8/25/2009 5:24:57 PM - System Checkpoint
RP824: 8/25/2009 5:24:58 PM - System Checkpoint
RP825: 8/25/2009 5:24:58 PM - System Checkpoint
RP826: 8/25/2009 5:24:59 PM - System Checkpoint
RP827: 8/25/2009 5:24:59 PM - System Checkpoint
RP828: 8/25/2009 5:25:00 PM - System Checkpoint
RP829: 8/25/2009 5:25:00 PM - System Checkpoint
RP830: 8/25/2009 5:25:00 PM - System Checkpoint
RP831: 8/25/2009 5:25:01 PM - System Checkpoint
RP832: 8/25/2009 5:25:01 PM - System Checkpoint
RP833: 8/25/2009 5:25:01 PM - Avg8 Update
RP834: 8/25/2009 5:25:01 PM - Avg8 Update
RP835: 8/25/2009 5:25:02 PM - System Checkpoint
RP836: 8/25/2009 5:25:02 PM - System Checkpoint
RP837: 8/25/2009 5:25:02 PM - System Checkpoint
RP838: 8/25/2009 5:25:03 PM - System Checkpoint
RP839: 8/25/2009 5:25:03 PM - System Checkpoint
RP840: 8/25/2009 5:25:03 PM - System Checkpoint
RP841: 8/25/2009 5:25:03 PM - System Checkpoint
RP842: 8/25/2009 5:25:04 PM - System Checkpoint
RP843: 8/25/2009 5:25:04 PM - System Checkpoint
RP844: 8/25/2009 5:25:04 PM - System Checkpoint
RP845: 8/25/2009 5:25:05 PM - System Checkpoint
RP846: 8/25/2009 5:25:05 PM - System Checkpoint
RP847: 8/25/2009 5:25:05 PM - System Checkpoint
RP848: 8/25/2009 5:25:06 PM - System Checkpoint
RP849: 8/25/2009 5:25:06 PM - System Checkpoint
RP850: 8/25/2009 5:25:06 PM - System Checkpoint
RP851: 8/25/2009 5:25:07 PM - System Checkpoint

==== Installed Programs ======================

Access IBM
Access IBM Message Center
Ad-Aware SE Personal
Adobe Acrobat 6.0 Standard
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe SVG Viewer 3.0
AoA DVD Ripper
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
AudibleManager
AVG 8.5
BlackBerry Desktop Software 4.7
Bonjour
Brentmark Update System
BurnPlugin for Audible
Carbonite
E210
Estate Planning Tools
FastStone Photo Resizer 2.7
Garmin Training Center v4
Google Earth
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Photo and Imaging 1.2 - Scanjet 4570c Series
IBM Access Connections
IBM Active Protection System
IBM DLA
IBM fingerprint software 4.5.3
IBM Integrated 56K Modem
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM SATA Power Management Driver
IBM Themes
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Power Manager
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM ThinkVantage Technologies Welcome Message
IBM TrackPoint Accessibility Features
IBM Update Connector
Intel® PROSet/Wireless Software
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 6
JamCam 3.0 Software
Java™ 6 Update 15
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
mMHouse
MotionBased Agent
Mozilla Firefox (3.0.13)
mPfMgr
mProSafe
MS Works Spreadsheet to XLS Converter
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mXML
Octoshape add-in for Adobe Flash Player
Panda ActiveScan
PC-Doctor for Windows
QuickTime
RealPlayer
Roxio Media Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
ShareIns
Sonic Update Manager
State Death Tax Manager
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB955839)
Vuze
Vuze Toolbar
Wallpapers
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883517
Windows XP Hotfix - KB883523
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884868
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885894
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
WordPerfect Productivity Pack
Xvid 1.1.3 final uninstall
Yahoo! extras
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Search Protection

==== Event Viewer Messages From Past Week ========

8/26/2009 12:08:45 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
8/26/2009 12:08:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/25/2009 9:53:09 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
8/25/2009 9:49:14 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
8/25/2009 9:36:02 PM, error: Service Control Manager [7034] - The AntipyProex service terminated unexpectedly. It has done this 1 time(s).
8/25/2009 8:47:17 PM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft Office Document Image Writer share name Printer.
8/25/2009 5:36:39 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf845a52, parameter3 f8685744, parameter4 00000000.
8/25/2009 11:56:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ANC Aspi32 AvgLdx86 AvgMfx86 AvgTdiX Fips IBMTPCHK intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ShockMgr Smapint Tcpip TDSMAPI TPHKDRV TPPWRIF TSMAPIP
8/25/2009 11:56:24 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 11:56:24 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 11:56:24 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 11:56:24 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 11:56:24 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 11:56:24 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 11:55:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/25/2009 11:55:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/22/2009 8:30:23 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/22/2009 8:30:06 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:03 AM, on 8/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:Program FilesCommon FilesVirtual Tokenvtserver.exe
C:WINDOWSsystem32ibmpmsvc.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesAskBarDisbarbinAskService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCarboniteCarbonite Backupcarboniteservice.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesIBMIBM Rapid Restore Ultrarrpcsb.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesSynapticsSynTPSynTPLpr.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSsystem32TpShocks.exe
C:PROGRA~1ThinkPadPkgMgrHOTKEYTPHKMGR.exe
C:PROGRA~1ThinkPadUTILIT~1EzEjMnAp.Exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesIBMMessages By IBMibmmessages.exe
C:IBMTOOLSUTILSibmprc.exe
C:Program FilesThinkPadPkgMgrHOTKEYTPONSCR.exe
C:Program FilesThinkPadConnectUtilitiesQCWLICON.EXE
C:Program FilesThinkPadPkgMgrHOTKEY_1TpScrex.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSSystem32QCONSVC.EXE
C:Program FilesJavajre6binjusched.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe
C:Program FilesYahoo!Search ProtectionSearchProtection.exe
C:Program FilesQuickTimeQTTask.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesCommon FilesResearch In MotionAuto UpdateRIMAutoUpdate.exe
C:Program FilesCarboniteCarbonite BackupCarboniteUI.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:GarmingStart.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
C:Program FilesDigital Line DetectDLG.exe
C:WINDOWSsystem32taskmgr.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32TPHDEXLG.EXE
C:WINDOWSsystem32TpKmpSVC.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0AcrobatActiveXAcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:Program FilesAskBarDisbarbinaskBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dlatfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.1.1309.3572swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 6.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:Program FilesAskBarDisbarbinaskBar.dll
O4 - HKLM..Run: [SynTPLpr] C:Program FilesSynapticsSynTPSynTPLpr.exe
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [TPKMAPHELPER] C:Program FilesThinkPadUtilitiesTpKmapAp.exe -helper
O4 - HKLM..Run: [TpShocks] TpShocks.exe
O4 - HKLM..Run: [TPHOTKEY] C:PROGRA~1ThinkPadPkgMgrHOTKEYTPHKMGR.exe
O4 - HKLM..Run: [ControlCenter] "C:Program FilesIBM fingerprint softwarectlcntr.exe" /startup
O4 - HKLM..Run: [TP4EX] tp4ex.exe
O4 - HKLM..Run: [EZEJMNAP] C:PROGRA~1ThinkPadUTILIT~1EzEjMnAp.Exe
O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [UC_Start] C:Program FilesIBMUpdaterucstartup.exe
O4 - HKLM..Run: [UpdateManager] "C:Program FilesCommon FilesSonicUpdate Managersgtray.exe" /r
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dlatfswctrl.exe
O4 - HKLM..Run: [ibmmessages] C:Program FilesIBMMessages By IBMibmmessages.exe
O4 - HKLM..Run: [IBMPRC] C:IBMTOOLSUTILSibmprc.exe
O4 - HKLM..Run: [QCWLICON] C:Program FilesThinkPadConnectUtilitiesQCWLICON.EXE
O4 - HKLM..Run: [PWRMGRTR] rundll32 C:PROGRA~1ThinkPadUTILIT~1PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [Share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe
O4 - HKLM..Run: [YSearchProtection] "C:Program FilesYahoo!Search ProtectionSearchProtection.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [BlackBerryAutoUpdate] C:Program FilesCommon FilesResearch In MotionAuto UpdateRIMAutoUpdate.exe /background
O4 - HKLM..Run: [RoxWatchTray] "C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatchTray9.exe"
O4 - HKLM..Run: [Carbonite Backup] C:Program FilesCarboniteCarbonite BackupCarboniteUI.exe
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [ibmmessages] C:Program FilesIBMMessages By IBMibmmessages.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [gStart] C:GarmingStart.exe
O4 - HKCU..Run: [YSearchProtection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe
O4 - HKCU..Run: [Search Protection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe
O4 - HKCU..Run: [ISUSPM] "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler
O4 - Global Startup: Acrobat Assistant.lnk = C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:Program FilesYahoo!Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} (ImageGear ActiveX-12) - http://64.107.106.116/inc/imgearv1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:Program FilesAskBarDisbarbinAskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:Program FilesAskBarDisbarbinASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:Program FilesCarboniteCarbonite Backupcarboniteservice.exe
O23 - Service: EvtEng - Intel Corporation - C:Program FilesIntelWirelessBinEvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:Program FilesIBMIBM Rapid Restore Ultrarrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:WINDOWSsystem32ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:WINDOWSsystem32PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:WINDOWSSystem32QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:Program FilesIntelWirelessBinRegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:Program FilesRoxioDigital Home 9RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:Program FilesRoxioDigital Home 9RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:Program FilesIntelWirelessBinS24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:WINDOWSSystem32TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:WINDOWSsystem32TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:Program FilesCommon FilesVirtual Tokenvtserver.exe

--
End of file - 12607 bytes






Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/25/2009 9:45:06 PM
mbam-log-2009-08-25 (21-45-06).txt

Scan type: Quick Scan
Objects scanned: 105381
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOTCLSID{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWin AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesantippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesantippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERSS-1-5-18SOFTWAREWindows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOTexefileshellopencommand(default) (Broken.OpenCommand) -> Bad: (C:WINDOWSsystem32desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
C:Program FilesWindows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmp (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimages (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:WINDOWSsystem32dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Promsvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Promsvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Promsvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus ProWindows Antivirus Pro.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpdbsinit.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpwispex.html (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesi1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesi2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesi3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesjj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesjj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesjj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesl1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesl2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesl3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagespix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagest1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagest2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesup1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesup2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesw1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesw11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesw2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesw3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimagesw3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimageswt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimageswt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:Program FilesWindows AntiVirus Protmpimageswt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:WINDOWSsystem32desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:WINDOWSsystem32bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:WINDOWSsystem32sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:WINDOWSsystem32sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:WINDOWSppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:WINDOWSppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:WINDOWSsvchast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Here is the root repeal log. I tried GMER but got the BSOD.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/26 01:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xF30D2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF89F2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xB7180000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:hiberfil.sys
Status: Locked to the Windows API!

Path: C:WINDOWSsystem32kbiwkmelcndorl.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32kbiwkmmirpjanj.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32kbiwkmrgvxvkow.dat
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32kbiwkmsdmpptox.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32driverskbiwkmotlbrhtu.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmsdmpptox.dll]
Process: svchost.exe (PID: 1196) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: kbiwkmelcndorl.dll]
Process: Explorer.EXE (PID: 2768) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: kbiwkmelcndorl.dll]
Process: firefox.exe (PID: 1640) Address: 0x10000000 Size: 32768

Hidden Services
-------------------
Service Name: kbiwkmnqmwfvuo
Image Path: C:WINDOWSsystem32driverskbiwkmotlbrhtu.sys

==EOF==

Merged posts. ~ OB

Edited by Orange Blossom, 04 September 2009 - 12:47 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:21 AM

Posted 09 September 2009 - 08:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 attorneyillinois

attorneyillinois
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 09 September 2009 - 09:00 AM

The problem is as originally posted and has NOT resolved. In the interim, I tried MBAM again as well as a full computer scan via AVG. Both deleted numerous trojans and/or files.

I've posted the DDS log. I've also attached the "attach" DDS log as a zip.

Thanks for the reply.



DDS (Ver_09-07-30.01) - NTFSx86
Run by TCP at 8:47:47.59 on Wed 09/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.100 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\TCP\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [gStart] c:\garmin\gStart.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UC_SMB]
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/YahooDownload/AxLoader.cab
DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} - hxxp://64.107.106.116/inc/imgearv1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
STS: ThreadingModel - No File
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tcp\applic~1\mozilla\firefox\profiles\2q5a9d4b.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-7-29 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-7-29 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-7-29 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-2 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-2 108552]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-7-29 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-7-29 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-7-29 4442]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-12-2 464264]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-12-16 63616]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-7-29 6016]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2008-12-2 234888]
S2 jamptxyvq;jamptxyvq;\??\c:\windows\system32\drivers\vprujhlp.sys --> c:\windows\system32\drivers\vprujhlp.sys [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-7-29 12288]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 728083]

=============== Created Last 30 ================

2009-09-08 11:10 0 a------- c:\windows\system32\41.exe
2009-08-26 00:27 <DIR> --d----- c:\program files\Trend Micro
2009-08-25 23:31 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-25 23:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-25 17:34 <DIR> --d----- C:\spoolerlogs

==================== Find3M ====================

2009-08-31 08:08 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-31 08:08 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2005-05-12 08:49 3,136 a------- c:\docume~1\tcp\applic~1\mpauth.dat
2005-01-18 11:03 53,008 a------- c:\docume~1\tcp\applic~1\GDIPFONTCACHEV1.DAT
2001-12-22 19:08 262,144 a------- c:\documents and settings\all users\NTUSER(1).DAT

============= FINISH: 8:50:23.59 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 10 September 2009 - 07:56 PM

Let's run a RootRepeal scan...

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 attorneyillinois

attorneyillinois
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 11 September 2009 - 11:40 AM

Thanks for the follow up - here's the RepealScan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/11 11:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF35C1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89F8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xB81AF000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RRUbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRUbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRUbackups\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRUbackups\pu.dat
Status: Invisible to the Windows API!

Path: C:\RRUbackups\SAM
Status: Invisible to the Windows API!

Path: C:\RRUbackups\system
Status: Invisible to the Windows API!

Path: C:\RRUbackups\system.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\TCP
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\TCP\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\TCP\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\TCP\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\Protect\S-1-5-21-550284595-3913849928-2277099852-1006
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\Protect\S-1-5-21-550284595-3913849928-2277099852-1006\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\Protect\S-1-5-21-550284595-3913849928-2277099852-1006\1aaeab24-5a81-47ad-9ea1-b66f6400dd1c
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\TCP\Application Data\Microsoft\Protect\S-1-5-21-550284595-3913849928-2277099852-1006\Preferred
Status: Invisible to the Windows API!

Hidden Services
-------------------
Service Name: kbiwkmnqmwfvuo
Image Path: C:\WINDOWS\system32\drivers\kbiwkmotlbrhtu.sys

==EOF==

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 11 September 2009 - 02:58 PM

Hello.

Seems the rootkit is indeed still there. Regarding rootkits...

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

If you wish to continue, please follow the instructions below please...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 attorneyillinois

attorneyillinois
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 11 September 2009 - 03:12 PM

It's about time for a new computer anyway. Assuming that I transfer my documents and outlook files to a new computer, what are the chances that the infection will follow to the new computer?

#8 attorneyillinois

attorneyillinois
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 11 September 2009 - 03:14 PM

Also, for future purposes, what do you suggest so that this doesn't happen again. I keep AVG updated but I think that's all I use.

Thanks

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 11 September 2009 - 03:20 PM

Hello.

It's about time for a new computer anyway. Assuming that I transfer my documents and outlook files to a new computer, what are the chances that the infection will follow to the new computer?

Outlook folders should be fine but some outlook mails may be infected. I can not know whether or not they are infected but mails are usually fine however, in certain cases some of the mail may have been infected. They can't infect you as long as you don't "activate" or run the file/attachments or website that might be on there from unknown senders.

Regarding backup...

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

If those rules are followed then the chance of you getting the infection again meaning transferred to your clean computer is low.

Also, for future purposes, what do you suggest so that this doesn't happen again. I keep AVG updated but I think that's all I use.

Regarding tools/scanners, Malwarebytes Anti-Malware and Superanti-Spyware are two good anti-spyware/malware tools in general. You may wish to install those as well. In addition to AVG, then you should be good.

Take a read below as well though...

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 attorneyillinois

attorneyillinois
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 11 September 2009 - 05:07 PM

The first time I ran combo fix I had a problem - it never generated the log report. Sadly, I lost power as it was waiting to generate. The computer did restart (indicating malware, I believe). I then re-ran combofix and it proceeded to the end. The report it generated is set forth below.

Thanks so much for your help.


ComboFix 09-09-11.01 - TCP 09/11/2009 16:47.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.112 [GMT -5:00]
Running from: c:\documents and settings\TCP\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\run.log
c:\windows\system\Winaspi.dll
c:\windows\system\Wowpost.exe
c:\windows\system32\41.exe
c:\windows\system32\open.ico
c:\windows\system32\pwdmon.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmnqmwfvuo
-------\Service_kbiwkmnqmwfvuo


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-08-26 05:27 . 2009-08-26 05:27 -------- d-----w- c:\program files\Trend Micro
2009-08-26 04:56 . 2009-08-26 04:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-26 04:31 . 2009-08-26 04:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-25 22:34 . 2009-08-25 22:34 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 15:30 . 2008-09-13 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-03 22:15 . 2009-03-07 14:08 256 ----a-w- c:\windows\system32\pool.bin
2009-08-31 13:08 . 2009-06-02 13:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-31 13:08 . 2009-06-02 13:49 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-31 13:08 . 2009-06-02 13:49 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 06:17 . 2008-12-02 16:18 -------- d-----w- c:\program files\Vuze
2009-08-26 04:31 . 2005-09-12 19:52 -------- d-----w- c:\program files\Java
2009-08-26 01:54 . 2009-07-09 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 18:36 . 2009-07-09 20:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-07-09 20:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-25 02:25 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"gStart"="c:\garmin\gStart.exe" [2005-07-25 1896448]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 284766]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-12 344064]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-14 36864]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-16 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 135168]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-31 2007832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-26 149280]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2004-10-27 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-29 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 16:51 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-31 13:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\TCP\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [7/29/2005 1:49 PM 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [7/29/2005 1:50 PM 14208]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2009 8:49 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2009 8:50 AM 108552]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [7/29/2005 1:49 PM 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [7/29/2005 2:16 PM 4442]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [12/2/2008 11:18 AM 464264]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/2/2009 8:47 AM 297752]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/16/2004 6:12 AM 63616]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [7/29/2005 1:50 PM 6016]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [12/2/2008 11:19 AM 234888]
S2 jamptxyvq;jamptxyvq;\??\c:\windows\system32\drivers\vprujhlp.sys --> c:\windows\system32\drivers\vprujhlp.sys [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [7/29/2005 2:11 PM 12288]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [1/26/2004 9:42 PM 728083]
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-13 14:15]

2009-09-11 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-07-29 08:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} - hxxp://64.107.106.116/inc/imgearv1.cab
FF - ProfilePath - c:\documents and settings\TCP\Application Data\Mozilla\Firefox\Profiles\2q5a9d4b.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-UC_SMB - (no file)
SharedTaskScheduler-ThreadingModel - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 16:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(3944)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
Completion time: 2009-09-11 17:00
ComboFix-quarantined-files.txt 2009-09-11 21:58

Pre-Run: 15,705,956,352 bytes free
Post-Run: 15,673,520,128 bytes free

196 --- E O F --- 2009-01-07 23:49

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 12 September 2009 - 11:06 AM

Hello.

I believe you wish to continue with the disinfection process and do not wish to format? IF you are going to format anyways or don't plan on using the computer then it may not be necessary to clean this machine however, if you do wish to clean it by all means, let me know. I didn't quite understand your previous posts and your last post regarding the Combofix log.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 attorneyillinois

attorneyillinois
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 12 September 2009 - 11:09 AM

I don't want to reformat the drive at this time. I think I'll stick with just the combo fix.

As far as my previous post, I ran combo fix and it deleted several trojans/files. However, I lost the log. So, I ran combo fix again (this time it didn't delete anything) and that's the log that I posted.

Many thanks - please advise.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 12 September 2009 - 11:24 AM

Hello.

Please do the following...

Download and Run OTM
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    jamptxyvq
    :files
    c:\windows\system32\drivers\vprujhlp.sys 
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • If OTM requires are reboot, please allow it to do so.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 attorneyillinois

attorneyillinois
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 12 September 2009 - 11:28 AM

I will try to do this today - It may, however, have to wait until Monday. Please don't think that I'm ignoring you.

Many thanks and cheers.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 12 September 2009 - 11:38 AM

Sure.

I appreciate you letting me know.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users