Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smart Virus Eliminator


  • This topic is locked This topic is locked
19 replies to this topic

#1 jthrash

jthrash

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 01 September 2009 - 08:24 PM

Was infected with the Smart Virus Eliminator. Could not log onto the itnernet. Went to a restore point several days before. Found your site anf dollowed diretctions ran Malware and found virus and eliminated. Performed complete scans on computer. Now when I try to log onto Google or Gmail it tells me the Internet Explorer cannot display webpage. I can log on fine to gmail from other computers. Could not get the Root Repeal file to run.


Any help in figuring out is grealty appreciated.

DDS (Ver_09-07-30.01) - NTFSx86
Run by John at 18:56:14.84 on Tue 09/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.730 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TSSchBkpService.exe
C:\Program Files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwinsdr.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kyocera\Address Book\AddrBook.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwingqa.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\1VOK7G5V\HijackThis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.boston.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070711
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos1.dll
TB: {4E7BD74F-2B8D-469E-D0EA-FD61A78FAC7D} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /Station
mRun: [Pdfquickview] c:\program files\pfu\scansnap\pdf thumbnail view\pdfquickview.exe
mRun: [QBCD Autorun] E:\autorun.exe restart QB_SEQUENCE first
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
StartupFolder: c:\docume~1\john\startm~1\programs\startup\amicus~1.lnk - c:\amicus\amicus attorney 2008 sfe\AASFECHK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\addres~1.lnk - c:\program files\kyocera\address book\AddrBook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks\components\qbagent\QBDAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera mita\fileutility\NsCatCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yosemi~1.lnk - c:\program files\yosemite\yosemite backup\v8.10-sp3a\win\x86\ytwingqa.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - c:\amicus\amicus attorney 2008 sfe\research\GetTags.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: amicusattorney.com\cf1
Trusted Zone: myfairpoint.net
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activate.myfairpoint.net/sdccommon/download/FairPoint/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238291228062
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - hxxps://www.digitaldocs.cc/GetDocs/cab/svinstall_a_stat.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://140.232.203.251/activex/AxisCamControl.cab
DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cf1.amicusattorney.com/cf143/static/weblaunch/weblaunch2.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tlr.webex.com/client/T25L/training/ieatgpc.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-30 64160]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact

manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2007-7-21 2304]
R2 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [2007-8-3 705024]
R2 YTBackup;Yosemite Backup;c:\program files\yosemite\yosemite backup\v8.10-sp3a\win\x86\ytwinsdr.exe [2007-7-21 188416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090901.023\NAVENG.SYS [2009-9-1 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090901.023\NAVEX15.SYS [2009-9-1 1323568]
S2 gupdate1c9e2ef852538c0;Google Update Service (gupdate1c9e2ef852538c0);c:\program files\google\update\GoogleUpdate.exe [2009-6-1 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-1-24 1251720]

=============== Created Last 30 ================

2009-08-31 10:40 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes
2009-08-31 10:40 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 10:40 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 10:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 10:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-31 10:30 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-31 10:29 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-08-31 09:25 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-31 08:55 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-31 08:55 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-12 18:03 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 18:02 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-11 14:42 505 a------- C:\unPDVDDX.iss
2009-08-11 14:41 <DIR> --d----- C:\MDT
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-09-01 08:28 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 13:00 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-30 08:14 11,504,282 a------- C:\Update60Build50.exe
2009-06-16 10:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 -------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 11:17 718,524 a------- C:\OpenPandora_0.7.0.2.zip
2008-10-10 10:00 60,744 -------- c:\documents and settings\john\g2mdlhlpx.exe
2008-01-24 14:48 557,056 -------- c:\documents and settings\john\GoToAssist_phone__317_en.exe
2007-12-09 08:47 98 ----h--- c:\docume~1\john\applic~1\srfvdo.dat
2007-09-28 12:59 60,968 -------- c:\documents and settings\john\GoToAssistDownloadHelper.exe
2007-09-27 13:39 439,296 -------- c:\documents and settings\john\GoToAssist_phone__320_en.exe
2007-11-19 10:09 8 ---shr-- c:\windows\system32\6FF2D9C343.sys
2008-08-26 09:39 32,768 ---sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 18:56:52.87 ===============

Attached Files


Edited by jthrash, 01 September 2009 - 08:26 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:31 PM

Posted 17 September 2009 - 08:04 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 jthrash

jthrash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 17 September 2009 - 08:34 AM

Sempai

Thank you for getting in touch with me. I have gotten rid of part of the problem so that I can go online and access the internet. However, I am still having issues for example when a click on a link it will redirect me somewhere else or will not allow me to connect to certain sites such as Gmail. So I have limited internet access. See the information you requested below. I may have difficulty with the zipped attachement as I am not sure how to attach.

What I have done so far is as follows:

run Malware Anti-malware software to get rid ogf the intial problem. Then I started to go through the "Read This" topic instructions you folks have created. I made it through steps 1-6 to download the DDS materials. When I got to step 7 the Rootkit download I was unable to get the rootkit item to download.

Your help and attention is greatly appreciated.

jthrash



DDS (Ver_09-07-30.01) - NTFSx86
Run by John at 9:25:41.54 on Thu 09/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1360 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TSSchBkpService.exe
C:\Program Files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwinsdr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kyocera\Address Book\AddrBook.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwingqa.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\OpenPandora\OpenPandora.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\AMICUS\AMICUS ATTORNEY 2008 SFE\AmicusAttSFE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.boston.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070711
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos1.dll
TB: {4E7BD74F-2B8D-469E-D0EA-FD61A78FAC7D} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /Station
mRun: [Pdfquickview] c:\program files\pfu\scansnap\pdf thumbnail view\pdfquickview.exe
mRun: [QBCD Autorun] E:\autorun.exe restart QB_SEQUENCE first
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\john\startm~1\programs\startup\amicus~1.lnk - c:\amicus\amicus attorney 2008 sfe\AASFECHK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\addres~1.lnk - c:\program files\kyocera\address book\AddrBook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks\components\qbagent\QBDAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera mita\fileutility\NsCatCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yosemi~1.lnk - c:\program files\yosemite\yosemite backup\v8.10-sp3a\win\x86\ytwingqa.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - c:\amicus\amicus attorney 2008 sfe\research\GetTags.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: amicusattorney.com\cf1
Trusted Zone: myfairpoint.net
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activate.myfairpoint.net/sdccommon/download/FairPoint/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238291228062
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - hxxps://www.digitaldocs.cc/GetDocs/cab/svinstall_a_stat.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://140.232.203.251/activex/AxisCamControl.cab
DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cf1.amicusattorney.com/cf143/static/weblaunch/weblaunch2.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tlr.webex.com/client/T25L/training/ieatgpc.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-30 64160]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2007-7-21 2304]
R2 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [2007-8-3 705024]
R2 YTBackup;Yosemite Backup;c:\program files\yosemite\yosemite backup\v8.10-sp3a\win\x86\ytwinsdr.exe [2007-7-21 188416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090916.024\NAVENG.SYS [2009-9-16 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090916.024\NAVEX15.SYS [2009-9-16 1323568]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-1-24 1251720]
S2 gupdate1c9e2ef852538c0;Google Update Service (gupdate1c9e2ef852538c0);c:\program files\google\update\GoogleUpdate.exe [2009-6-1 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]

=============== Created Last 30 ================


==================== Find3M ====================

2009-09-15 12:41 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 13:00 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-10 09:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-30 08:14 11,504,282 a------- C:\Update60Build50.exe
2009-06-22 02:44 726,528 -------- c:\windows\system32\dllcache\jscript.dll
2008-10-10 10:00 60,744 -------- c:\documents and settings\john\g2mdlhlpx.exe
2008-01-24 14:48 557,056 -------- c:\documents and settings\john\GoToAssist_phone__317_en.exe
2007-12-09 08:47 98 ----h--- c:\docume~1\john\applic~1\srfvdo.dat
2007-09-28 12:59 60,968 -------- c:\documents and settings\john\GoToAssistDownloadHelper.exe
2007-09-27 13:39 439,296 -------- c:\documents and settings\john\GoToAssist_phone__320_en.exe
2007-11-19 10:09 8 ---shr-- c:\windows\system32\6FF2D9C343.sys
2009-06-12 08:51 245,760 ---sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-08-26 09:39 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 9:26:14.32 ===============

Attached Files


Edited by jthrash, 17 September 2009 - 08:40 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 17 September 2009 - 11:57 AM

Hi jthrash,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Disconnect from the Internet and close all running programs.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#5 jthrash

jthrash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 17 September 2009 - 03:31 PM

Farbar

Thank you for your assistance. Please find the gmer.log pasted below as requested.


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-17 16:28:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 8A375D58 ZwAlertResumeThread
SSDT 8A38AD80 ZwAlertThread
SSDT 8A3A2930 ZwAllocateVirtualMemory
SSDT 8A450AF8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA95B4020]
SSDT 8A488B80 ZwCreateMutant
SSDT 8A37F2B8 ZwCreateThread
SSDT 8A266A58 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA95B42A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA95B4800]
SSDT 8A242E28 ZwFreeVirtualMemory
SSDT 8A3D7428 ZwImpersonateAnonymousToken
SSDT 8A391BE8 ZwImpersonateThread
SSDT 8A242D48 ZwMapViewOfSection
SSDT 8A23CD80 ZwOpenEvent
SSDT 8A3EC768 ZwOpenProcessToken
SSDT 8A38F520 ZwOpenSection
SSDT 8A243D58 ZwOpenThreadToken
SSDT 8A3F69B0 ZwResumeThread
SSDT 8A2F2390 ZwSetContextThread
SSDT 8A243E28 ZwSetInformationProcess
SSDT 8A3C24A0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA95B4A50]
SSDT 8A39BD80 ZwSuspendProcess
SSDT 8A3691F8 ZwSuspendThread
SSDT 8A266D80 ZwTerminateProcess
SSDT 8A338750 ZwTerminateThread
SSDT 8A29DD80 ZwUnmapViewOfSection
SSDT 8A2A9C08 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 17 September 2009 - 04:12 PM

Thanks for the log.
  • Please go to Add/Remove programs on the control panel and uninstall:

    Boston Red Sox Toolbar

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 jthrash

jthrash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 17 September 2009 - 05:26 PM

Farbar

As requested the Mbam Log and the Combofix log

Thanks again


Malwarebytes' Anti-Malware 1.41
Database version: 2818
Windows 5.1.2600 Service Pack 3

9/17/2009 6:04:11 PM
mbam-log-2009-09-17 (18-04-11).txt

Scan type: Quick Scan
Objects scanned: 115598
Time elapsed: 15 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix 09-09-17.04 - John 09/17/2009 18:16.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1310 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\4069e61.msp
c:\windows\Installer\9f48559.msi
c:\windows\system32\bidisp.dll
c:\windows\system32\setup.ini
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 21:26 . 2009-09-17 21:26 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Boston_Red_Sox
2009-09-16 12:47 . 2009-09-16 12:47 330 ----a-w- C:\ATT00002.dat
2009-08-31 12:55 . 2009-08-31 14:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-31 12:55 . 2009-08-31 14:29 -------- d-----w- c:\program files\Spyware Doctor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 22:12 . 2007-07-21 14:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-17 21:35 . 2008-02-07 18:04 -------- d-----w- c:\program files\Conduit
2009-09-17 21:35 . 2008-02-07 18:04 -------- d-----w- c:\program files\Boston_Red_Sox
2009-09-17 21:35 . 2007-07-21 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-17 21:29 . 2009-08-31 14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 04:00 . 2008-01-29 16:46 -------- d-----w- c:\program files\DynDNS Updater
2009-09-15 16:41 . 2007-08-13 21:24 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-10 18:54 . 2009-08-31 14:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-31 14:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 12:14 . 2008-01-16 01:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 07:01 . 2007-07-11 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-01 19:23 . 2007-09-27 15:33 -------- d-----w- c:\program files\vzsmbtb
2009-09-01 19:22 . 2007-09-27 15:26 -------- d-----w- c:\program files\Verizon
2009-09-01 19:22 . 2009-04-30 20:01 -------- d-----w- c:\program files\Yahoo!
2009-08-31 14:40 . 2009-08-31 14:40 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-08-31 14:40 . 2009-08-31 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 14:29 . 2009-08-31 14:29 -------- d--h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-08-31 14:29 . 2009-08-31 13:25 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-13 07:10 . 2007-07-11 12:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-11 18:42 . 2007-07-11 12:57 -------- d-----w- c:\program files\CyberLink
2009-08-11 18:40 . 2009-08-11 18:39 -------- d-----w- c:\documents and settings\John\Application Data\Roxio
2009-08-11 18:35 . 2009-08-11 18:35 -------- d-----w- c:\documents and settings\John\Application Data\CyberLink
2009-08-11 18:35 . 2009-08-11 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-05 09:01 . 2004-08-11 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:13 . 2007-07-11 12:51 -------- d-----w- c:\program files\Java
2009-08-03 22:20 . 2007-10-25 16:28 -------- d-----w- c:\program files\Timeslips2008
2009-07-25 09:23 . 2008-11-23 16:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 21:00 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 17:00 . 2007-07-11 12:57 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-03 17:09 . 2004-08-11 21:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 12:14 . 2009-06-30 12:14 11504282 ----a-w- C:\Update60Build50.exe
2007-11-19 14:09 . 2007-11-19 14:09 8 --sh--r- c:\windows\system32\6FF2D9C343.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592]
"Pdfquickview"="c:\program files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe" [2003-12-22 32768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2006-07-05 77892]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-13 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-08 128560]

c:\documents and settings\John\Start Menu\Programs\Startup\
Amicus Attorney 2008 SFE.lnk - c:\amicus\AMICUS ATTORNEY 2008 SFE\AASFECHK.EXE [2007-9-28 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Address Book.lnk - c:\program files\Kyocera\Address Book\AddrBook.exe [2007-7-21 73728]
QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe [2007-7-21 118784]
Scanner File Utility.lnk - c:\program files\Kyocera Mita\FileUtility\NsCatCom.exe [2007-7-21 315392]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2007-7-21 819200]
Yosemite Backup Quick Access.lnk - c:\program files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwingqa.exe [2007-7-21 2318336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK
backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK
backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK
backup=c:\windows\pss\Desktop Application Director 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kyocera\\Address Book\\AddrBook.exe"=
"c:\\Program Files\\Yosemite\\Yosemite Backup\\v8.10-sp3a\\win\\x86\\ytwingqa.exe"=
"c:\\Program Files\\Kyocera Mita\\FileUtility\\NsCatCom.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/30/2009 3:35 PM 64160]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 5:25 PM 65536]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 5:50 PM 30312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/25/2007 1:07 AM 149352]
R2 YTBackup;Yosemite Backup;c:\program files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwinsdr.exe [7/21/2007 12:19 PM 188416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 10:04 PM 102448]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/31/2009 10:40 AM 38224]
S2 gupdate1c9e2ef852538c0;Google Update Service (gupdate1c9e2ef852538c0);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2009 3:31 PM 133104]
S2 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [8/3/2007 6:09 PM 705024]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 4:55 PM 23888]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - MBAMSWISSARMY

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 19:36]

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-08-01 c:\windows\Tasks\Backup 070801.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]

2009-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-01 19:30]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-01 19:31]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-01 19:31]

2009-09-15 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - John.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2009-09-17 c:\windows\Tasks\User_Feed_Synchronization-{1F6663AA-C0D8-4E31-B3D0-542AEDB2FDCA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.boston.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: {{ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - c:\amicus\AMICUS ATTORNEY 2008 SFE\Research\GetTags.htm
Trusted Zone: amicusattorney.com\cf1
Trusted Zone: myfairpoint.net
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cf1.amicusattorney.com/cf143/static/weblaunch/weblaunch2.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{d40eb577-b16f-411b-81dc-afedf8b60a50} - (no file)
HKLM-Run-QBCD Autorun - E:\autorun.exe
AddRemove-HijackThis - c:\docume~1\John\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis[2].zip\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 18:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-17 18:21
ComboFix-quarantined-files.txt 2009-09-17 22:21

Pre-Run: 118,222,594,048 bytes free
Post-Run: 118,802,407,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

215 --- E O F --- 2009-09-10 07:06

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 18 September 2009 - 02:20 AM

Well done.
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"="http://windowsupdate.microsoft.com/"
    "Completed"=hex:01,00,00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Click on the link just to see if you get connected to this site. This is a test to see if you can access the secure SSL sites.
    https://www.opendns.com/start/


#9 jthrash

jthrash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 18 September 2009 - 12:18 PM

Farbar

I have completed the registry edit and removed all old Java installs and loaded the new install.

I was able to access the web page you provided.

What next?

Thanks

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 18 September 2009 - 01:09 PM

Great jthrash.

Tell me how is the computer running now.

#11 jthrash

jthrash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 18 September 2009 - 01:23 PM

Farbar

When I run a google search and click on whatever the first link is I get redirected to a different webpage.

And even one time got directed to a page that says I am infected and to doaload a tool to remove the infection.

So I don't think I am fixed. Any thoughts on what to do next? Thnaks for any advice you might have.

jthrash

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 18 September 2009 - 01:37 PM

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

#13 jthrash

jthrash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 18 September 2009 - 01:45 PM

Farbar

As requested:



Windows IP Configuration



Host Name . . . . . . . . . . . . : PC1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : myhome.westell.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : myhome.westell.com

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-1A-A0-B4-5A-EC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.45

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

192.168.1.1

Lease Obtained. . . . . . . . . . : Friday, September 18, 2009 12:25:33 PM

Lease Expires . . . . . . . . . . : Saturday, September 19, 2009 12:25:33 PM

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 74.125.67.100, 74.125.127.100, 74.125.45.100



Pinging google.com [64.86.17.32] with 32 bytes of data:



Reply from 64.86.17.32: bytes=32 time=64ms TTL=53

Reply from 64.86.17.32: bytes=32 time=63ms TTL=53



Ping statistics for 64.86.17.32:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 63ms, Maximum = 64ms, Average = 63ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a a0 b4 5a ec ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.45 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.45 192.168.1.45 20
192.168.1.0 255.255.255.0 192.168.1.45 192.168.1.45 20
192.168.1.45 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.45 192.168.1.45 20
224.0.0.0 240.0.0.0 192.168.1.45 192.168.1.45 20
255.255.255.255 255.255.255.255 192.168.1.45 192.168.1.45 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 18 September 2009 - 01:58 PM

I believe we have found it. This will confirm it and we will fix it the next round. But please hang on a while as I'm not available for a few hours and will post the next fix ASAP.

Go to start > Run copy/paste the following line in the run box and click OK.

notepad C:\windows\system32\drivers\etc\hosts

A text file opens. Please post its content to your reply.

#15 jthrash

jthrash
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 18 September 2009 - 02:02 PM

Farbar

Thank you. No rush I understand you have other things to do. Will wait for your reply. All your help is greatly appreciated.


# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
64.86.17.32 google.ae
64.86.17.32 google.as
64.86.17.32 google.at
64.86.17.32 google.az
64.86.17.32 google.ba
64.86.17.32 google.be
64.86.17.32 google.bg
64.86.17.32 google.bs
64.86.17.32 google.ca
64.86.17.32 google.cd
64.86.17.32 google.com.gh
64.86.17.32 google.com.hk
64.86.17.32 google.com.jm
64.86.17.32 google.com.mx
64.86.17.32 google.com.my
64.86.17.32 google.com.na
64.86.17.32 google.com.nf
64.86.17.32 google.com.ng
64.86.17.32 google.ch
64.86.17.32 google.com.np
64.86.17.32 google.com.pr
64.86.17.32 google.com.qa
64.86.17.32 google.com.sg
64.86.17.32 google.com.tj
64.86.17.32 google.com.tw
64.86.17.32 google.dj
64.86.17.32 google.de
64.86.17.32 google.dk
64.86.17.32 google.dm
64.86.17.32 google.ee
64.86.17.32 google.fi
64.86.17.32 google.fm
64.86.17.32 google.fr
64.86.17.32 google.ge
64.86.17.32 google.gg
64.86.17.32 google.gm
64.86.17.32 google.gr
64.86.17.32 google.ht
64.86.17.32 google.ie
64.86.17.32 google.im
64.86.17.32 google.in
64.86.17.32 google.it
64.86.17.32 google.ki
64.86.17.32 google.la
64.86.17.32 google.li
64.86.17.32 google.lv
64.86.17.32 google.ma
64.86.17.32 google.ms
64.86.17.32 google.mu
64.86.17.32 google.mw
64.86.17.32 google.nl
64.86.17.32 google.no
64.86.17.32 google.nr
64.86.17.32 google.nu
64.86.17.32 google.pl
64.86.17.32 google.pn
64.86.17.32 google.pt
64.86.17.32 google.ro
64.86.17.32 google.ru
64.86.17.32 google.rw
64.86.17.32 google.sc
64.86.17.32 google.se
64.86.17.32 google.sh
64.86.17.32 google.si
64.86.17.32 google.sm
64.86.17.32 google.sn
64.86.17.32 google.st
64.86.17.32 google.tl
64.86.17.32 google.tm
64.86.17.32 google.tt
64.86.17.32 google.us
64.86.17.32 google.vu
64.86.17.32 google.ws
64.86.17.32 google.co.ck
64.86.17.32 google.co.id
64.86.17.32 google.co.il
64.86.17.32 google.co.in
64.86.17.32 google.co.jp
64.86.17.32 google.co.kr
64.86.17.32 google.co.ls
64.86.17.32 google.co.ma
64.86.17.32 google.co.nz
64.86.17.32 google.co.tz
64.86.17.32 google.co.ug
64.86.17.32 google.co.uk
64.86.17.32 google.co.za
64.86.17.32 google.co.zm
64.86.17.32 google.com
64.86.17.32 google.com.af
64.86.17.32 google.com.ag
64.86.17.32 google.com.ar
64.86.17.32 google.com.au
64.86.17.32 google.com.bn
64.86.17.32 google.com.br
64.86.17.32 google.com.by
64.86.17.32 google.com.bz
64.86.17.32 google.com.cu
64.86.17.32 google.com.ec
64.86.17.32 google.com.fj
64.86.17.32 www.google.ae
64.86.17.32 www.google.as
64.86.17.32 www.google.at
64.86.17.32 www.google.az
64.86.17.32 www.google.ba
64.86.17.32 www.google.be
64.86.17.32 www.google.bg
64.86.17.32 www.google.bs
64.86.17.32 www.google.ca
64.86.17.32 www.google.cd
64.86.17.32 www.google.com.gh
64.86.17.32 www.google.com.hk
64.86.17.32 www.google.com.jm
64.86.17.32 www.google.com.mx
64.86.17.32 www.google.com.my
64.86.17.32 www.google.com.na
64.86.17.32 www.google.com.nf
64.86.17.32 www.google.com.ng
64.86.17.32 www.google.ch
64.86.17.32 www.google.com.np
64.86.17.32 www.google.com.pr
64.86.17.32 www.google.com.qa
64.86.17.32 www.google.com.sg
64.86.17.32 www.google.com.tj
64.86.17.32 www.google.com.tw
64.86.17.32 www.google.dj
64.86.17.32 www.google.de
64.86.17.32 www.google.dk
64.86.17.32 www.google.dm
64.86.17.32 www.google.ee
64.86.17.32 www.google.fi
64.86.17.32 www.google.fm
64.86.17.32 www.google.fr
64.86.17.32 www.google.ge
64.86.17.32 www.google.gg
64.86.17.32 www.google.gm
64.86.17.32 www.google.gr
64.86.17.32 www.google.ht
64.86.17.32 www.google.ie
64.86.17.32 www.google.im
64.86.17.32 www.google.in
64.86.17.32 www.google.it
64.86.17.32 www.google.ki
64.86.17.32 www.google.la
64.86.17.32 www.google.li
64.86.17.32 www.google.lv
64.86.17.32 www.google.ma
64.86.17.32 www.google.ms
64.86.17.32 www.google.mu
64.86.17.32 www.google.mw
64.86.17.32 www.google.nl
64.86.17.32 www.google.no
64.86.17.32 www.google.nr
64.86.17.32 www.google.nu
64.86.17.32 www.google.pl
64.86.17.32 www.google.pn
64.86.17.32 www.google.pt
64.86.17.32 www.google.ro
64.86.17.32 www.google.ru
64.86.17.32 www.google.rw
64.86.17.32 www.google.sc
64.86.17.32 www.google.se
64.86.17.32 www.google.sh
64.86.17.32 www.google.si
64.86.17.32 www.google.sm
64.86.17.32 www.google.sn
64.86.17.32 www.google.st
64.86.17.32 www.google.tl
64.86.17.32 www.google.tm
64.86.17.32 www.google.tt
64.86.17.32 www.google.us
64.86.17.32 www.google.vu
64.86.17.32 www.google.ws
64.86.17.32 www.google.co.ck
64.86.17.32 www.google.co.id
64.86.17.32 www.google.co.il
64.86.17.32 www.google.co.in
64.86.17.32 www.google.co.jp
64.86.17.32 www.google.co.kr
64.86.17.32 www.google.co.ls
64.86.17.32 www.google.co.ma
64.86.17.32 www.google.co.nz
64.86.17.32 www.google.co.tz
64.86.17.32 www.google.co.ug
64.86.17.32 www.google.co.uk
64.86.17.32 www.google.co.za
64.86.17.32 www.google.co.zm
64.86.17.32 www.google.com
64.86.17.32 www.google.com.af
64.86.17.32 www.google.com.ag
64.86.17.32 www.google.com.ar
64.86.17.32 www.google.com.au
64.86.17.32 www.google.com.bn
64.86.17.32 www.google.com.br
64.86.17.32 www.google.com.by
64.86.17.32 www.google.com.bz
64.86.17.32 www.google.com.cu
64.86.17.32 www.google.com.ec
64.86.17.32 www.google.com.fj
64.86.17.32 google.com
64.86.17.32 www.google.com
64.86.17.32 bing.com
64.86.17.32 www.bing.com
64.86.17.32 search.yahoo.com
64.86.17.32 www.search.yahoo.com
64.86.17.32 search.live.com
64.86.17.32 search.msn.com
64.86.17.32 googleads.g.doubleclick.net
64.86.17.32 www.googleads.g.doubleclick.net
64.86.17.32 pubads.g.doubleclick.net
64.86.17.32 www.pubads.g.doubleclick.net
64.86.17.32 partner.googleadservices.com
64.86.17.32 www.partner.googleadservices.com
64.86.17.32 www.partner.googleadservices.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users