Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple IE Browsers Opening


  • This topic is locked This topic is locked
15 replies to this topic

#1 06Honda

06Honda

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 02 November 2009 - 05:04 PM

When I double click on my IE icon on my desktop I get 3 IE browser windows opening. If i select tab and hit the home page button on that browser I also get 3 browsers opening.
DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 16:46:45.10 on Mon 11/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.530 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 091102-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: : {fffffef0-5b30-21d4-945d-000000000000} - c:\progra~1\stardo~1\SDIEInt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
IE: Download with Star Downloader - c:\program files\star downloader\sdie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: computerhope.com\www
Trusted Zone: featurepics.com\www
Trusted Zone: live.com\login
Trusted Zone: microsoft.com\windowsupdate
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196566958671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197506489312
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://gameadvisor.futuremark.com/global/msc3121.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
TCP: {9EE3030C-F343-4733-AD52-8F9BCD80F3F3} = 199.246.2.4 199.246.2.115
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lfkvydct.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-9 114768]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-8-18 58728]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-8-18 333928]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 74480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-9 20560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-8-18 955624]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================


==================== Find3M ====================

2009-09-18 20:19:15 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-18 20:19:15 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-18 20:19:14 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-18 20:19:14 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-18 20:19:13 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-18 20:19:13 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 00:37:17 144616 ----a-w- c:\program files\RapportSetup.exe
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-05-28 01:14:17 2452082 ----a-w- c:\program files\StarDownloader1.55.exe
2009-03-31 02:24:12 820 ----a-w- c:\program files\AvastClearerTool.log
2009-02-23 00:03:05 3485988 ----a-w- c:\program files\setupscreenhunterfree.exe
2009-02-15 13:35:47 7456256 ----a-w- c:\program files\irfanview_plugins_422_setup.exe
2009-01-04 00:04:12 3165824 ----a-w- c:\program files\ccleanersetup215jan09.exe
2008-12-21 19:36:43 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-12-20 23:41:46 732795 ----a-w- c:\program files\uploadr_2.5.0.15_en.exe
2008-11-13 02:47:39 15452536 ----a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-11-13 00:42:59 2372472 ----a-w- c:\program files\mbam-setup.exe
2008-11-13 00:05:55 3139687 ----a-w- c:\program files\bhr4[1].5.0.471.exe
2008-11-11 00:49:09 23804784 ----a-w- c:\program files\aaw2008.exe
2008-11-11 00:39:40 812344 ----a-w- c:\program files\HJTInstall.exe
2008-11-10 02:47:29 27462344 ----a-w- c:\program files\setupeng.exe
2008-11-09 03:56:09 512 ----a-w- c:\program files\ScanSectorLog.dat
2008-11-09 00:45:16 403072 ----a-w- c:\program files\AvastClearerTool.exe
2008-11-07 23:53:17 7508608 ----a-w- c:\program files\Firefox_Setup_3.0.3.exe
2008-10-31 21:25:59 1413120 ----a-w- c:\program files\winsockfix.exe
2008-10-30 02:03:26 27494968 ----a-w- c:\program files\Norman_Malware_Cleaner.exe
2008-10-27 00:16:20 1077632 ----a-w- c:\program files\RegCureSetup_1501_RW.exe
2008-10-04 01:51:58 2007053 ----a-w- c:\program files\NoisewareCESetupXP2601.exe
2008-09-20 03:53:08 6637592 ----a-w- c:\program files\SUPERAntiSpyware.exe
2008-04-25 23:37:36 1645749 ----a-w- c:\program files\pdsr1_0.exe
2007-12-14 03:46:32 2724328 ----a-w- c:\program files\ccsetup203.exe
2007-12-04 06:37:38 23405072 ----a-w- c:\program files\AdbeRdr811_en_US.exe
2007-12-03 01:01:13 1156096 ----a-w- c:\program files\iview410_setup.exe
2007-01-06 05:37:00 2055068 ----a-w- c:\program files\Warranty and Customer Support.pdf
2009-05-09 23:16:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050920090510\index.dat

============= FINISH: 16:47:20.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:57 AM

Posted 08 November 2009 - 10:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 06Honda

06Honda
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 November 2009 - 04:33 PM

When I double click the IE icon on my desktop, the browser window opens as normal along with two additional browser windows. If I click "New Tab" with one browser open 2 other browser windows will open. I have made no attempts to resolve this issue since my last post. See new DDS Log as requested:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 16:28:11.21 on Sun 11/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.532 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 091108-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\IEIssueLogs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: : {fffffef0-5b30-21d4-945d-000000000000} - c:\progra~1\stardo~1\SDIEInt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: Download with Star Downloader - c:\program files\star downloader\sdie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: computerhope.com\www
Trusted Zone: featurepics.com\www
Trusted Zone: live.com\login
Trusted Zone: microsoft.com\windowsupdate
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196566958671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197506489312
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://gameadvisor.futuremark.com/global/msc3121.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
TCP: {9EE3030C-F343-4733-AD52-8F9BCD80F3F3} = 199.246.2.4 199.246.2.115
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lfkvydct.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-9 114768]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-8-18 58728]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-8-18 333928]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 74480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe

[2008-9-16 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-9 20560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-8-18 955624]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2009-10-14 02:28:38 0 d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free

==================== Find3M ====================

2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-18 20:19:15 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-18 20:19:15 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-18 20:19:14 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-18 20:19:14 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-18 20:19:13 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-18 20:19:13 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 00:37:17 144616 ----a-w- c:\program files\RapportSetup.exe
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-28 01:14:17 2452082 ----a-w- c:\program files\StarDownloader1.55.exe
2009-03-31 02:24:12 820 ----a-w- c:\program files\AvastClearerTool.log
2009-02-23 00:03:05 3485988 ----a-w- c:\program files\setupscreenhunterfree.exe
2009-02-15 13:35:47 7456256 ----a-w- c:\program files\irfanview_plugins_422_setup.exe
2009-01-04 00:04:12 3165824 ----a-w- c:\program files\ccleanersetup215jan09.exe
2008-12-21 19:36:43 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-12-20 23:41:46 732795 ----a-w- c:\program files\uploadr_2.5.0.15_en.exe
2008-11-13 02:47:39 15452536 ----a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-11-13 00:42:59 2372472 ----a-w- c:\program files\mbam-setup.exe
2008-11-13 00:05:55 3139687 ----a-w- c:\program files\bhr4[1].5.0.471.exe
2008-11-11 00:49:09 23804784 ----a-w- c:\program files\aaw2008.exe
2008-11-11 00:39:40 812344 ----a-w- c:\program files\HJTInstall.exe
2008-11-10 02:47:29 27462344 ----a-w- c:\program files\setupeng.exe
2008-11-09 03:56:09 512 ----a-w- c:\program files\ScanSectorLog.dat
2008-11-09 00:45:16 403072 ----a-w- c:\program files\AvastClearerTool.exe
2008-11-07 23:53:17 7508608 ----a-w- c:\program files\Firefox_Setup_3.0.3.exe
2008-10-31 21:25:59 1413120 ----a-w- c:\program files\winsockfix.exe
2008-10-30 02:03:26 27494968 ----a-w- c:\program files\Norman_Malware_Cleaner.exe
2008-10-27 00:16:20 1077632 ----a-w- c:\program files\RegCureSetup_1501_RW.exe
2008-10-04 01:51:58 2007053 ----a-w- c:\program files\NoisewareCESetupXP2601.exe
2008-09-20 03:53:08 6637592 ----a-w- c:\program files\SUPERAntiSpyware.exe
2008-04-25 23:37:36 1645749 ----a-w- c:\program files\pdsr1_0.exe
2007-12-14 03:46:32 2724328 ----a-w- c:\program files\ccsetup203.exe
2007-12-04 06:37:38 23405072 ----a-w- c:\program files\AdbeRdr811_en_US.exe
2007-12-03 01:01:13 1156096 ----a-w- c:\program files\iview410_setup.exe
2007-01-06 05:37:00 2055068 ----a-w- c:\program files\Warranty and Customer Support.pdf
2009-05-09 23:16:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012009050920090510\index.dat

============= FINISH: 16:28:46.62 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:57 AM

Posted 09 November 2009 - 11:38 AM

Hello 06Honda :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 06Honda

06Honda
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 09 November 2009 - 08:48 PM

Thanks for the e-mail thewall, see attached doc of scan as requested.

Paul

Attached Files



#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:57 AM

Posted 09 November 2009 - 09:45 PM

You're welcome!!

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply. You can just paste it in the reply window instead of making an attachment out of it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 06Honda

06Honda
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 09 November 2009 - 10:30 PM

ComboFix 09-11-08.03 - Owner 11/09/2009 22:10.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.534 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 091109-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-03 22:29 . 2009-11-03 22:29 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-14 02:28 . 2009-10-14 02:28 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 22:41 . 2009-03-21 23:56 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-08 22:08 . 2007-12-13 02:12 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-11-03 22:30 . 2007-12-12 22:40 -------- d-----w- c:\program files\Java
2009-11-02 23:48 . 2009-05-28 01:16 -------- d-----w- c:\program files\Star Downloader
2009-10-31 18:57 . 2007-09-28 01:31 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-31 18:56 . 2007-09-28 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-14 23:36 . 2008-09-20 03:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-11 09:17 . 2008-11-28 01:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 18:57 . 2007-12-08 22:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express
2009-10-03 23:40 . 2009-02-14 17:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-28 17:58 . 2009-09-28 17:58 -------- d-----w- c:\documents and settings\Owner\Application Data\PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1
2009-09-18 20:41 . 2007-12-09 14:26 17432 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-18 20:34 . 2009-09-18 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-18 20:28 . 2009-09-18 20:28 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-18 20:26 . 2009-09-18 20:26 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-09-18 20:21 . 2009-09-18 20:21 -------- d-----w- c:\windows\Fonts\Fonts
2009-09-18 20:19 . 2009-09-18 20:19 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-18 20:19 . 2009-09-18 20:19 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-18 20:19 . 2009-09-18 20:19 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-18 20:19 . 2009-09-18 20:19 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-18 20:19 . 2009-09-18 20:19 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-18 20:19 . 2009-09-18 20:19 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-17 23:15 . 2008-11-13 00:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 23:15 . 2008-12-06 21:46 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-11-13 00:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-13 00:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 00:37 . 2009-09-02 00:37 144616 ----a-w- c:\program files\RapportSetup.exe
2009-08-29 08:08 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-28 01:14 . 2009-05-28 01:14 2452082 ----a-w- c:\program files\StarDownloader1.55.exe
2009-03-31 02:24 . 2008-11-09 00:45 820 ----a-w- c:\program files\AvastClearerTool.log
2009-02-23 00:03 . 2009-02-23 00:03 3485988 ----a-w- c:\program files\setupscreenhunterfree.exe
2009-02-15 13:35 . 2009-02-15 13:35 7456256 ----a-w- c:\program files\irfanview_plugins_422_setup.exe
2009-01-04 00:04 . 2009-01-04 00:04 3165824 ----a-w- c:\program files\ccleanersetup215jan09.exe
2008-12-21 19:36 . 2008-12-21 19:30 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-12-20 23:41 . 2008-12-20 23:41 732795 ----a-w- c:\program files\uploadr_2.5.0.15_en.exe
2008-11-13 02:47 . 2008-11-13 02:47 15452536 ----a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-11-13 00:42 . 2008-11-13 00:42 2372472 ----a-w- c:\program files\mbam-setup.exe
2008-11-13 00:05 . 2008-11-13 00:05 3139687 ----a-w- c:\program files\bhr4[1].5.0.471.exe
2008-11-11 00:49 . 2008-11-11 00:49 23804784 ----a-w- c:\program files\aaw2008.exe
2008-11-11 00:39 . 2008-11-11 00:39 812344 ----a-w- c:\program files\HJTInstall.exe
2008-11-10 02:47 . 2008-11-10 02:47 27462344 ----a-w- c:\program files\setupeng.exe
2008-11-09 03:56 . 2008-11-09 03:56 512 ----a-w- c:\program files\ScanSectorLog.dat
2008-11-09 00:45 . 2008-11-09 00:45 403072 ----a-w- c:\program files\AvastClearerTool.exe
2008-11-07 23:53 . 2008-11-07 23:53 7508608 ----a-w- c:\program files\Firefox_Setup_3.0.3.exe
2008-10-31 21:25 . 2008-10-31 21:25 1413120 ----a-w- c:\program files\winsockfix.exe
2008-10-30 02:03 . 2008-10-30 02:03 27494968 ----a-w- c:\program files\Norman_Malware_Cleaner.exe
2008-10-27 00:16 . 2008-10-27 00:16 1077632 ----a-w- c:\program files\RegCureSetup_1501_RW.exe
2008-10-04 01:51 . 2008-10-04 01:51 2007053 ----a-w- c:\program files\NoisewareCESetupXP2601.exe
2008-09-20 03:53 . 2008-09-20 03:53 6637592 ----a-w- c:\program files\SUPERAntiSpyware.exe
2008-04-25 23:37 . 2008-04-25 23:37 1645749 ----a-w- c:\program files\pdsr1_0.exe
2007-12-14 03:46 . 2007-12-14 03:46 2724328 ----a-w- c:\program files\ccsetup203.exe
2007-12-04 06:37 . 2007-12-04 06:37 23405072 ----a-w- c:\program files\AdbeRdr811_en_US.exe
2007-12-03 01:01 . 2007-12-03 01:01 1156096 ----a-w- c:\program files\iview410_setup.exe
2007-01-06 05:37 . 2007-08-06 02:03 2055068 ----a-w- c:\program files\Warranty and Customer Support.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-14 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 140568]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"BHR"="c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [2006-10-25 9375744]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-07 17:50 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/9/2008 10:12 PM 114768]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [8/18/2009 8:39 PM 58728]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [8/18/2009 8:39 PM 333928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 1:07 PM 74480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/9/2008 10:12 PM 20560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [8/18/2009 8:39 PM 955624]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 1:07 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
Trusted Zone: computerhope.com\www
Trusted Zone: featurepics.com\www
Trusted Zone: live.com\login
Trusted Zone: microsoft.com\windowsupdate
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lfkvydct.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 22:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Trusteer\Rapport\bin\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-10 22:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 03:27

Pre-Run: 72,045,383,680 bytes free
Post-Run: 72,005,263,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=5 Default=5 Failed=3 LastKnownGood=1 Sets=1,3,5,6
- - End Of File - - 50BDEEDDEAF20EAA9707EF49B73A9E9C

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:57 AM

Posted 09 November 2009 - 10:59 PM

Although we have some more to do you had a rootkit on board which can cause a lot of issues. For my information did that stop the multiple windows from opening up?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 06Honda

06Honda
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 10 November 2009 - 08:24 PM

Yes it did, all normal for the browser window opening.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:57 AM

Posted 10 November 2009 - 08:56 PM

That's good!


Although you have an updated version of Java you also have some older versions still on your system that could be a source of exploitation. You need to remove the ones I have listed below:

Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6







Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.




When you have finished with the above please do this next:




It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 06Honda

06Honda
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 11 November 2009 - 06:59 PM

I followed all the instructions given with no issues or difficulty. See Kaspersky Online Scan Log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 11, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, November 11, 2009 17:19:38
Records in database: 3192082
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 51947
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:46:13

No threats found. Scanned area is clean.

Selected area has been scanned.

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:57 AM

Posted 11 November 2009 - 07:08 PM

That's the kind of log we want to see. :( How is the computer running now?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 06Honda

06Honda
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 11 November 2009 - 07:36 PM

Works fine, no issues at all.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:57 AM

Posted 11 November 2009 - 08:57 PM

Great, I think we can wrap this up.



Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.





Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts fileNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :(


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 06Honda

06Honda
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 12 November 2009 - 08:49 PM

Thanks very much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users